Only the latest release is supported with security updates.

Do not open a public GitHub issue for security vulnerabilities.

Use GitHub Private Vulnerability Reporting to submit a report. This keeps the details confidential until a fix is released.

Include in your report:

• Description of the vulnerability and its impact
• Steps to reproduce or proof-of-concept
• Affected component (runner, macOS client, TLS/auth layer, proto, etc.)
• Your suggested severity (Critical / High / Medium / Low)

• Acknowledgement within 3 business days
• Status update within 7 days (confirmed, not reproducible, or out of scope)
• Fix timeline communicated once the issue is confirmed
• Credit in the release notes if you wish

Security issues relevant to this project include:

• Authentication bypass (Bearer token, mTLS)
• TLS certificate validation flaws
• Privilege escalation via PTY or shell allowlist bypass
• Unauthorized access to terminal sessions
• Sensitive data exposure (tokens, CA keys, session data)
• Dependency vulnerabilities with a realistic exploit path

Out of scope: vulnerabilities in the host OS, third-party infrastructure not operated by this project, issues requiring physical access to the machine.

Once a fix is released, the vulnerability details will be published via a GitHub Security Advisory. We follow coordinated disclosure — please allow reasonable time for a fix before public disclosure.