Fuseraft CLI is early-stage software. Only the latest commit on main and the most recent published release receive security fixes.

Please do not file a public GitHub issue for security vulnerabilities.

Use one of the two private channels below:

1. Go to the Security tab of this repository.
2. Click Report a vulnerability.
3. Fill in the advisory form. GitHub keeps the report private until a fix is published.

Send a report to scstauf@gmail.com with:

• Subject: [fuseraft-cli] Security report
• A description of the vulnerability and its impact
• Steps to reproduce or a proof-of-concept (if available)
• Any suggested fix (optional but appreciated)

PGP encryption is not required but appreciated for highly sensitive reports.

If a fix will take longer than the target, we will communicate the delay and provide a mitigation or workaround if one is available.

We follow coordinated (responsible) disclosure:

• Security fixes are committed and released before any public discussion of the vulnerability.
• Once a fix is released, we publish a GitHub Security Advisory crediting the reporter (unless they prefer to remain anonymous).
• We ask reporters to refrain from public disclosure until the fix is released, or for a maximum of 90 days after the initial report — whichever comes first.

The following areas are in scope for security reports:

Out of scope:

• Vulnerabilities that require the attacker to already have write access to ~/.fuseraft/ or the project directory
• Social engineering or phishing
• Issues in LLM provider infrastructure (Anthropic, OpenAI, xAI, etc.)
• Theoretical vulnerabilities without a realistic attack path
• Issues only reproducible with Security.AllowPrivateHosts: true and a deliberately misconfigured setup

For context on the existing security controls, see:

• Security & Sandbox — filesystem sandbox, HTTP allowlist, execution rings, sudo protection, and prompt injection detection
• Security — API key storage — OS keychain integration details