reeln-plugin-meta is pre-1.0 software. Security fixes are published against the latest release only. We recommend always running the most recent version from PyPI or the Releases page.

reeln-plugin-meta is a reeln-cli plugin that integrates Meta platforms — Facebook Live, Instagram, and Threads — via the Graph API and Threads API. It runs inside reeln-cli on a livestreamer's local machine and makes outbound HTTPS requests to Meta using OAuth 2.0 access tokens stored on disk.

In-scope concerns include, but are not limited to:

• Leakage of Meta app secrets, access tokens (short- or long-lived), or page tokens via logs, error messages, cached responses, or saved state
• Insecure file permissions on the on-disk token store
• OAuth redirect / state handling flaws during the initial authorization flow (e.g. open redirect, missing CSRF state validation)
• Scope abuse — requesting broader Graph API permissions than necessary, or failing to honor revoked tokens
• Unsafe deserialization of Graph API responses or cached metadata
• Command injection or path traversal in generated upload artifacts, container media, or metadata written to disk
• Dependency confusion or typosquatting on the PyPI package name

Out of scope:

• Vulnerabilities in the Meta Graph API or Threads API themselves, or in upstream Meta SDKs — report those to Meta
• Vulnerabilities in reeln-cli or other reeln plugins — report those to the respective repository
• Issues that require an attacker to already have local code execution on the user's machine or access to the stored OAuth tokens

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Report vulnerabilities using GitHub's private vulnerability reporting:

1. Go to the Security tab of this repository
2. Click "Report a vulnerability"
3. Fill in as much detail as you can: affected version, reproduction steps, impact, and any suggested mitigation

If you cannot use GitHub's reporting, email git-security@email.remitz.us instead.

A good report contains:

• The version of reeln-plugin-meta, reeln-cli, and Python you tested against
• Your operating system and architecture (macOS / Windows / Linux, arch)
• Steps to reproduce the issue
• What you expected to happen vs. what actually happened
• The potential impact (token leakage, account takeover, scope abuse, data loss, etc.)
• Any proof-of-concept code, if applicable

This plugin is maintained by a small team, so all timelines below are best-effort rather than hard guarantees:

• Acknowledgement: typically within a week of your report
• Initial assessment: usually within two to three weeks, including whether we consider the report in scope and our planned next steps
• Status updates: roughly every few weeks until the issue is resolved
• Fix & disclosure: coordinated with you. We aim to ship a patch release reasonably quickly for high-severity issues, with lower-severity issues addressed in a future release. Credit will be given in the release notes and CHANGELOG unless you prefer to remain anonymous.

If a report is declined, we will explain why. You are welcome to disagree and provide additional context.