This document outlines the security policy for the Cubbit CLI project, including how to report vulnerabilities, our disclosure process, and best practices for maintaining security.

We take the security of Cubbit CLI seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Email: security@cubbit.io

1. Initial Report: Send an email to security@cubbit.io with:

   • A clear description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact assessment

2. Acknowledgment: You will receive an acknowledgment confirming receipt of your report.

3. Investigation: Our security team will investigate the reported vulnerability and may request additional information.

4. Timeline: We aim to provide an initial assessment and keep you updated on our progress.

5. Resolution: Once the vulnerability is confirmed and fixed:

   • A new release will be made available
   • You will be credited in the security advisory (unless you prefer to remain anonymous)

To help us respond quickly and effectively, please include:

• Summary: Brief description of the vulnerability
• Severity: Your assessment of the impact (Low/Medium/High/Critical)
• Steps to Reproduce: Detailed steps to reproduce the issue
• Environment: OS, Go version, CLI version, and any relevant configuration
• Proof of Concept: Code or commands that demonstrate the vulnerability

To help maintain security:

• Keep your CLI installation updated to the latest version
• Review and validate any configuration files before use
• Use secure channels for sensitive operations
• Report any suspicious behavior or unexpected outputs

Security updates are released as patch versions and are marked with the [SECURITY] tag in our CHANGELOG.md.

• Security Issues: security@cubbit.io
• General Support: GitHub Issues
• Documentation: docs.cubbit.io

Thank you for helping keep Cubbit CLI secure!