Skip to content

Security: widgrensit/asobi-cli

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you discover a security vulnerability in asobi-cli, please report it privately so we can fix it before it is publicly disclosed.

Do not open a public GitHub issue for security issues.

How to report

Either of these channels work:

What to expect

  • Acknowledgement within 48 hours
  • Initial assessment within 7 days
  • Coordinated disclosure timeline agreed with you
  • Credit in the security advisory if you want it

Supported versions

Version Supported
latest stable
older releases ❌ — please upgrade

Scope

In scope:

  • The asobi-cli Go binary (this repository)
  • Stored credential format and the device-code login flow

Out of scope:

Credential storage

asobi-cli stores credentials at ~/.asobi/credentials.json (%USERPROFILE%\.asobi\credentials.json on Windows). The CLI does not transmit credentials over unencrypted channels and uses ECDH+AES-GCM for the initial device-code login exchange.

On Linux and macOS the file is written with mode 0600 in a 0700 directory, restricting it to the owning user. On Windows those modes only set the read-only attribute; the file is instead protected by the ACL it inherits from your user profile (owner, SYSTEM, and Administrators). Encrypting the credential file at rest with DPAPI is tracked as a hardening enhancement.

There aren't any published security advisories