Please do not open public GitHub issues for security vulnerabilities.
Email security@optiqor.dev with:
- A description of the vulnerability and its potential impact
- Reproduction steps (proof of concept where possible)
- Affected versions
- Your name / handle for credit (optional)
We acknowledge reports within 2 business days. We aim to ship a fix within 30 days for high-severity issues.
You may encrypt your report with our PGP key (fingerprint: TBD when key is published).
The latest minor release of @optiqor/cli receives security updates. Older versions are not supported.
In scope:
- The
optiqorbinary (this repo) - The
@optiqor/clinpm wrapper
Out of scope:
- The Optiqor SaaS (report to
security@optiqor.devseparately) - Third-party dependencies (please report to upstream maintainers)
We will publicly disclose accepted vulnerabilities after a fix is released, crediting the reporter unless they request otherwise.