Ota treats the contract, diagnosis model, JSON output, installer paths, execution semantics, and release distribution surfaces as security-sensitive infrastructure.

Security fixes are only guaranteed on the latest released version of Ota.

If you believe a vulnerability affects an older release, reproduce it on the latest release first before reporting it.

Do not open a public GitHub issue for a suspected security vulnerability.

Instead, report it privately to:

• os@ota.run

Include:

• affected Ota version from ota --version
• operating system and shell
• whether the issue affects doctor, detect, init, up, run, install/update flows, or release/distribution paths
• a minimal reproduction or proof-of-concept
• expected impact and any known mitigations

• Ota will acknowledge the report as quickly as practical
• reports are triaged under maintainer stewardship
• fixes may land privately first and be disclosed after a patched release is available

The most sensitive areas include:

• command execution and task launching
• backend/provider boundaries
• installer and self-update flows
• policy/env resolution
• JSON output consumed by automation
• release packaging and distribution
• agent-facing safety and writable-boundary guidance

Use normal GitHub issues for:

• non-sensitive bugs
• docs corrections
• example or fixture gaps
• false-positive diagnostics

When in doubt, prefer private disclosure first.