If you discover a security vulnerability in arazzo-cli, please report it privately using GitHub's built-in vulnerability reporting:
- Go to the Security tab
- Click Report a vulnerability
- Provide a description of the issue and steps to reproduce
Please do not open a public issue for security vulnerabilities.
I'll acknowledge reports within a reasonable timeframe and provide an update when a fix is available. There is no formal SLA — this is a single-maintainer project.
This policy covers the arazzo-cli binary, the arazzo-runtime crate, and the VS Code debug adapter. It does not cover third-party dependencies (report those upstream).