|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +We take the security of the InstaNode CLI seriously. Thank you for helping |
| 4 | +keep our users and infrastructure safe. |
| 5 | + |
| 6 | +## Reporting a Vulnerability |
| 7 | + |
| 8 | +Please report suspected security issues by email to **security@instanode.dev**. |
| 9 | + |
| 10 | +Include as much of the following as you can: |
| 11 | + |
| 12 | +- A description of the vulnerability and its impact. |
| 13 | +- Steps to reproduce, ideally a minimal proof of concept. |
| 14 | +- The affected version, commit SHA, or release tag. |
| 15 | +- Any suggested remediation. |
| 16 | + |
| 17 | +We aim to acknowledge new reports within **2 business days** and to provide |
| 18 | +a substantive response (triage outcome, severity, expected timeline) within |
| 19 | +**7 business days**. |
| 20 | + |
| 21 | +Please do **not** open a public GitHub issue, pull request, or discussion |
| 22 | +for suspected vulnerabilities until a fix is available and we have agreed |
| 23 | +on a coordinated disclosure date. |
| 24 | + |
| 25 | +## Scope |
| 26 | + |
| 27 | +In scope: |
| 28 | + |
| 29 | +- The CLI binary and source in this repository (`github.com/InstaNode-dev/cli`). |
| 30 | +- Authentication flows used by the CLI (device-code login, token storage, |
| 31 | + keyring integration). |
| 32 | +- Any code path that handles user credentials, API tokens, or secrets. |
| 33 | + |
| 34 | +Out of scope: |
| 35 | + |
| 36 | +- Vulnerabilities in third-party dependencies (please report upstream; we |
| 37 | + will pick up patched versions promptly). |
| 38 | +- Issues that require a pre-compromised local machine (full local user |
| 39 | + account compromise, malicious OS packages, etc.). |
| 40 | +- Findings that depend on running custom or modified builds of the CLI. |
| 41 | +- Social engineering of InstaNode staff or users. |
| 42 | + |
| 43 | +## Safe Harbor |
| 44 | + |
| 45 | +We will not pursue or support legal action against researchers who: |
| 46 | + |
| 47 | +- Make a good-faith effort to comply with this policy. |
| 48 | +- Avoid privacy violations, destruction of data, and disruption of service. |
| 49 | +- Only interact with accounts they own or have explicit permission to access. |
| 50 | +- Give us a reasonable opportunity to remediate before public disclosure. |
| 51 | + |
| 52 | +If in doubt, email **security@instanode.dev** before testing — we are happy |
| 53 | +to scope a test plan with you. |
0 commit comments