If you discover a security vulnerability in daft, please report it privately by emailing:
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix timeline: Depends on severity, typically within 30 days
This policy covers vulnerabilities in:
- The daft binary and its commands
- The hooks system trust model
- Installation scripts
- Vulnerabilities in dependencies (report to upstream maintainers)
- Social engineering attacks
- Issues requiring physical access to your machine
We follow coordinated disclosure. Once a fix is released, we'll credit reporters (unless anonymity is preferred) in the release notes.