We take security seriously. If you discover a security vulnerability in Kodra WSL, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please:

1. Email: Send details to security@codetocloud.io
2. Discord: DM a maintainer on our Discord server

Please include the following information:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any suggested fixes (optional)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Within 30 days for critical issues

When using Kodra WSL:

1. Review scripts before running: Always inspect boot.sh and installation scripts before execution
2. Keep WSL updated: Run wsl --update regularly
3. Update Kodra tools: Run kodra update to get the latest tool versions
4. Secure your credentials:
   • Don't commit Azure credentials to repos
   • Use az login for authentication
   • Store secrets in Azure Key Vault

Kodra WSL installs several third-party tools. Security updates for these tools are managed by their respective maintainers:

• Docker CE: Docker Security
• Azure CLI: Microsoft Security Updates
• GitHub CLI: GitHub Security
• Terraform/OpenTofu: HashiCorp Security

We recommend running kodra update regularly to get the latest versions.

• WSL2 runs in a lightweight VM, providing isolation from Windows
• Docker CE runs within WSL2, not as a Windows service
• Firewall rules should be configured for WSL network access if needed

We appreciate responsible security researchers who help keep Kodra WSL safe. Contributors who report valid security issues will be acknowledged (with permission) in our release notes.