Only the latest minor release line receives security fixes. The CLI follows Semantic Versioning; breaking changes will land in a new major. Older minor releases will not be backported.
| Version | Supported |
|---|---|
| 0.5.x | ✅ |
| < 0.5 | ❌ |
Please do not file public GitHub issues for security vulnerabilities.
Report via one of these private channels, in order of preference:
- GitHub Private Vulnerability Reporting — open a draft advisory. This is the fastest path: it stays private until we publish the fix, and keeps the discussion tied to the codebase.
- Email —
furkankoykiran@gmail.comwith[contextify-cli security]in the subject line. Include a clear reproduction, the impacted version, and any suggested fix or mitigation. PGP is not currently required.
- Affected version(s) — output of
contextify --version. - Reproduction steps (or a proof-of-concept; minimal is best).
- Impact assessment: what an attacker can do, what privileges they need.
- Suggested fix if you have one — not required, but appreciated.
- Acknowledgement within 72 hours.
- Initial assessment within 7 days, including a severity classification (CVSS 3.1 where it makes sense, otherwise plain English).
- Fix + coordinated disclosure target: 30 days from acknowledgement for high/critical issues, 90 days for medium/low. Critical issues affecting the auto-update path or credential storage are prioritized.
- A credit line in the release notes once the fix ships, unless you ask to remain anonymous.
In scope:
- The published
@furkankoykiran/contextify-clinpm package (any version). - The CLI's interaction with the npm registry (auto-update probe + install).
- Credential handling:
~/.contextify/credentials.jsonstorage, env-var parsing, transport to the hosted server. - Claude Code hook scripts shipped under
src/hooks/. - Any RCE / privilege-escalation / data-exfiltration path triggered by running the CLI or installing the package.
Out of scope:
- The hosted
contextify.liveservice — report those at the contact above but they are tracked separately. - Issues that require physical access to the user's machine or an already-compromised account.
- Reports auto-generated by scanners without a working proof-of-concept.
Thanks for helping keep the project safe.