We recommend always using the latest release.

Please do not report security vulnerabilities through public GitHub issues.

Instead, report them privately via one of these methods:

1. GitHub Security Advisories (Preferred)
   Go to the Security tab and click "Report a vulnerability"

2. Email
   Contact the maintainer directly (see GitHub profile)

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial response: Within 48 hours
• Status update: Within 7 days
• Fix timeline: Depends on severity, typically within 30 days

This security policy covers:

• The Stacktower CLI binary
• The Go library (pkg/)
• The official container images (if any)

Out of scope:

• Third-party dependencies (report to the respective maintainers)
• The documentation website (stacktower.io)

When using Stacktower:

• API Tokens: Never commit GITHUB_TOKEN or GITLAB_TOKEN to version control
• Cache Directory: The cache at ~/.cache/stacktower/ may contain API responses; treat it as potentially sensitive
• Dependencies: Run make vuln or govulncheck ./... to check for known vulnerabilities