Potaco is in early development. Security fixes are applied to the latest
release on main only.
If you discover a security vulnerability in Potaco, please report it responsibly:
- Do not open a public GitHub issue.
- Email the maintainer via the email listed on the GitHub profile.
- Include a description of the vulnerability, steps to reproduce, and the potential impact.
You will receive a response within 72 hours. If the vulnerability is confirmed, a fix will be prepared and a security advisory published via GitHub Security Advisories.
Vulnerabilities in the Potaco CLI itself, its configuration handling, and its interaction with provider APIs are in scope. Vulnerabilities in third-party dependencies should be reported to the upstream maintainers.
We follow responsible disclosure. We ask that you give us reasonable time to fix the issue before any public disclosure.