Skip to content

Security: Corvus400/notebooklm-study-kit

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

Please report security issues through GitHub Private Security Advisories for this repository. Do not open a public issue for a suspected vulnerability.

When reporting, include:

  • The affected version or commit.
  • The tool or script involved (for example tools/fetch_snapshot.py).
  • A minimal reproduction, if available.
  • The expected impact and any known workaround.

Scope

This repository is a documentation-and-tooling kit. The security-relevant surface is the Python in tools/:

In scope:

  • Unsafe URL handling or request behavior in tools/fetch_snapshot.py (it fetches arbitrary user-supplied URLs over HTTP and converts the response to Markdown).
  • Path traversal or unsafe writes caused by the --out path of fetch_snapshot.py or the scaffold paths of tools/scaffold_topic.py.
  • Any code path that writes outside the intended topic directory.

Out of scope:

  • Copyright compliance of any corpus you build. This repo ships without a corpus. When you fetch documentation snapshots into topics/*/corpus/, you are responsible for respecting the source's license and terms; keep a corpus-filled clone private and do not redistribute it. This is a usage responsibility, not a vulnerability in this project.
  • The behavior of NotebookLM or any third-party documentation site you fetch.
  • Vulnerabilities in markdownify, Python, or the operating system itself.
  • Content you choose to upload to NotebookLM.

Coordinated Disclosure

  1. Report the issue through GitHub Private Security Advisories.
  2. The maintainer acknowledges receipt and confirms the affected scope.
  3. A fix is prepared privately and a regression check is added when practical.
  4. A patched release is published.
  5. The advisory is published with impact, affected versions, and mitigation details.

There aren't any published security advisories