The Attestely CLI is currently in 0.x alpha. We only support the latest released version with security fixes during the alpha period. Once we tag 1.0.0, this policy will move to the standard semver-aligned support window.

Please do not open a public GitHub issue for security problems.

Email security disclosures to security@attestely.com. PGP encryption is welcome but not required.

Please include:

• A description of the issue and its impact
• Steps to reproduce (CLI version, OS/arch, command line, repo shape)
• Whether the issue affects anonymous mode, connected mode, or both
• Your preferred contact for follow-up

We aim to:

• Acknowledge your report within 2 business days.
• Triage and give you a preliminary severity assessment within 5 business days.
• Fix confirmed high/critical issues in the next patch release, typically within 30 days.

In scope:

• The CLI binary published under this repository.
• The CLI's interaction with api.attestely.com (auth, payload shape, secret handling).
• The scanner installer (internal/scanner/installer) and its checksum verification.
• Anonymous-mode contract violations (any outbound HTTP made when --anonymous is set, outside the documented exception for downloading scanner binaries on first run).

Out of scope:

• The upstream scanners (Trivy, Semgrep, gitleaks) — please report directly to their projects.
• The Attestely SaaS backend at api.attestely.com — report via the same email address and we'll route it.
• Findings produced by the scanners — those are user-data issues to address in your own repository.

We follow coordinated disclosure. Once a fix is available, we'll publish a GitHub Security Advisory crediting the reporter (unless you'd prefer to remain anonymous) and include details in the next release's CHANGELOG.md.