kasapi-cli is in pre-1.0 development. Only the latest released
v0.x.y minor receives security fixes; older minors are not
backported.
| Version | Supported |
|---|---|
v0.x.y (latest) |
yes |
| anything else | no |
Do not open a public GitHub issue for security vulnerabilities.
Use one of these channels instead:
- GitHub's private vulnerability reporting: open the Report a vulnerability flow under the repository's Security tab.
- E-mail:
developer@kasapi-cli.chm-projects.de.
Please include:
- a clear description of the issue,
- reproduction steps or a proof-of-concept,
- the affected version (
kasapi-cli --version), - your assessment of impact and any suggested mitigation.
This is a maintainer-driven hobby project, not a paid product. You can expect:
- an initial acknowledgement within seven days,
- a follow-up with a triage outcome (accepted / not a vulnerability / needs more information) within three weeks,
- a fix landing in a tagged release as soon as practical for accepted vulnerabilities, with credit in the release notes unless you prefer to remain anonymous.
There is no bug bounty.
In scope:
- the
kasapi-clibinary and its supporting Go packages underinternal/, - the GitHub Actions workflows under
.github/workflows/, - the release artefacts published on the
Releases page and
their
cosignsignatures.
Out of scope:
- vulnerabilities in the All-Inkl KAS API itself — please report those to All-Inkl directly,
- vulnerabilities in third-party dependencies for which an upstream patch already exists; please file or link the upstream advisory instead.
Every release artefact and the SHA256SUMS file are signed
keylessly with cosign via GitHub Actions OIDC. See the
Install section in README.md for the
verification recipe.