Skip to content

Security: furkankoykiran/contextify-cli

Security

SECURITY.md

Security Policy

Supported Versions

Only the latest minor release line receives security fixes. The CLI follows Semantic Versioning; breaking changes will land in a new major. Older minor releases will not be backported.

Version Supported
0.5.x
< 0.5

Reporting a Vulnerability

Please do not file public GitHub issues for security vulnerabilities.

Report via one of these private channels, in order of preference:

  1. GitHub Private Vulnerability Reportingopen a draft advisory. This is the fastest path: it stays private until we publish the fix, and keeps the discussion tied to the codebase.
  2. Emailfurkankoykiran@gmail.com with [contextify-cli security] in the subject line. Include a clear reproduction, the impacted version, and any suggested fix or mitigation. PGP is not currently required.

What to include

  • Affected version(s) — output of contextify --version.
  • Reproduction steps (or a proof-of-concept; minimal is best).
  • Impact assessment: what an attacker can do, what privileges they need.
  • Suggested fix if you have one — not required, but appreciated.

What to expect

  • Acknowledgement within 72 hours.
  • Initial assessment within 7 days, including a severity classification (CVSS 3.1 where it makes sense, otherwise plain English).
  • Fix + coordinated disclosure target: 30 days from acknowledgement for high/critical issues, 90 days for medium/low. Critical issues affecting the auto-update path or credential storage are prioritized.
  • A credit line in the release notes once the fix ships, unless you ask to remain anonymous.

Scope

In scope:

  • The published @furkankoykiran/contextify-cli npm package (any version).
  • The CLI's interaction with the npm registry (auto-update probe + install).
  • Credential handling: ~/.contextify/credentials.json storage, env-var parsing, transport to the hosted server.
  • Claude Code hook scripts shipped under src/hooks/.
  • Any RCE / privilege-escalation / data-exfiltration path triggered by running the CLI or installing the package.

Out of scope:

  • The hosted contextify.live service — report those at the contact above but they are tracked separately.
  • Issues that require physical access to the user's machine or an already-compromised account.
  • Reports auto-generated by scanners without a working proof-of-concept.

Thanks for helping keep the project safe.

There aren't any published security advisories