We take the security of the InstaNode CLI seriously. Thank you for helping keep our users and infrastructure safe.

Please report suspected security issues by email to security@instanode.dev.

Include as much of the following as you can:

• A description of the vulnerability and its impact.
• Steps to reproduce, ideally a minimal proof of concept.
• The affected version, commit SHA, or release tag.
• Any suggested remediation.

We aim to acknowledge new reports within 2 business days and to provide a substantive response (triage outcome, severity, expected timeline) within 7 business days.

Please do not open a public GitHub issue, pull request, or discussion for suspected vulnerabilities until a fix is available and we have agreed on a coordinated disclosure date.

In scope:

• The CLI binary and source in this repository (github.com/InstaNode-dev/cli).
• Authentication flows used by the CLI (device-code login, token storage, keyring integration).
• Any code path that handles user credentials, API tokens, or secrets.

Out of scope:

• Vulnerabilities in third-party dependencies (please report upstream; we will pick up patched versions promptly).
• Issues that require a pre-compromised local machine (full local user account compromise, malicious OS packages, etc.).
• Findings that depend on running custom or modified builds of the CLI.
• Social engineering of InstaNode staff or users.

We will not pursue or support legal action against researchers who:

• Make a good-faith effort to comply with this policy.
• Avoid privacy violations, destruction of data, and disruption of service.
• Only interact with accounts they own or have explicit permission to access.
• Give us a reasonable opportunity to remediate before public disclosure.

If in doubt, email security@instanode.dev before testing — we are happy to scope a test plan with you.