Pre-1.0 development snapshots are unsupported. Until v1.0.0 is tagged, this table is forward-looking — use the latest main and report any issues against that tip.

Please do not open a public GitHub issue for security-sensitive reports.

Use one of the following channels:

• GitHub private security advisory — preferred. From the repository, open the Security tab → Report a vulnerability. This creates a private advisory visible only to you and the maintainers.
• Email — sandwich.farm@protonmail.com. Use a descriptive subject line prefixed with [burrow security].

Please include reproduction steps, affected burrow version (burrow version), and the platform (uname -a or Windows build number) when possible.

• 7 days — initial acknowledgement of receipt.
• 30 days — initial triage, severity assessment, and a written response with our intended remediation path.
• 90 days — coordinated disclosure target from the date of the initial report. The 90-day window is extensible by mutual agreement when a fix is in active development.

If we cannot meet a milestone we will tell you why and propose a new date.

In scope:

• Bugs in the burrow CLI binary that could leak credentials, allow arbitrary code execution, or otherwise compromise the system on which burrow is installed.
• Issues in the credential-store integrations (macOS Keychain, libsecret, pass, Windows credential manager, plaintext fallback) that result in unintended credential exposure.
• Supply-chain integrity issues in the release artifacts produced by .goreleaser.yaml / .github/workflows/release.yml (signature, SBOM, checksum, or provenance failures).

Out of scope:

• Issues in upstream Go standard library or third-party dependencies — please report those upstream.
• Issues in the Bunny.net REST API itself — please report those directly to Bunny.
• Vulnerabilities that require an already-compromised local user account or physical access to the machine running burrow.

Reporters who follow coordinated disclosure are credited in the CHANGELOG.md entry for the release that contains the fix, unless they request anonymity.