Report security issues privately through GitHub's "Report a vulnerability" button on the repository Security tab.
Do not publish vulnerability details in public issues, discussions, or pull requests before there is a fix or mitigation.
Do not send reports by email. This repository does not publish a security contact address.
safe is itself a security tool. Reports about its sandboxing, audit logic,
install wrappers, trust decisions, bypasses, or unsafe defaults are especially
welcome.
Useful reports include:
- affected command and version;
- exact reproduction steps;
- expected and actual behavior;
- impact;
- relevant logs or JSON output with secrets removed.