We take security seriously. If you discover a security vulnerability in Kodra macOS, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please:

1. Email: Send details to security@codetocloud.io
2. Discord: DM a maintainer on our Discord server

Please include the following information:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any suggested fixes (optional)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Within 30 days for critical issues

When using Kodra macOS:

1. Review scripts before running: Always inspect boot.sh and installation scripts before execution
2. Keep macOS updated: Run Software Update regularly
3. Update Kodra tools: Run kodra update to get the latest tool versions
4. Secure your credentials:
   • Don't commit Azure credentials to repos
   • Use az login for authentication
   • Store secrets in Azure Key Vault

Kodra macOS installs several third-party tools. Security updates for these tools are managed by their respective maintainers:

• Colima/Docker: Colima Security
• Azure CLI: Microsoft Security Updates
• GitHub CLI: GitHub Security
• Terraform/OpenTofu: HashiCorp Security
• Homebrew: Homebrew Security

We recommend running kodra update regularly to get the latest versions.

• Homebrew installs to /opt/homebrew (Apple Silicon) with user-level permissions
• Colima runs Docker in a lightweight Lima VM, isolated from the host
• No system-level daemons are installed — only user-level launchd agents
• Shell config modifications are limited to ~/.zshrc sourcing

We appreciate responsible security researchers who help keep Kodra macOS safe. Contributors who report valid security issues will be acknowledged (with permission) in our release notes.