Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please use GitHub Security Advisories to report vulnerabilities privately.

• Acknowledgement: within 48 hours
• Patch for critical issues: within 14 days

• Credential handling and storage
• Data exposure (cost data, account IDs, resource identifiers)
• Read-only enforcement violations (any code path that could trigger a write/mutate cloud API call)
• SQLite injection or data leakage
• LLM prompt injection via cloud-sourced data

• Issues caused by user-misconfigured IAM policies
• Vulnerabilities in upstream dependencies (report those to the upstream project)
• Denial of service against the local CLI process