OpenUsage follows semantic versioning. Security fixes land on the latest minor release line. Patch releases are cut as needed and published to the GitHub releases page.

We aim to keep CVE windows short. If a high-severity issue is reported against an in-support release line, expect a patch within a few days.

Please do not file public GitHub issues for security problems.

Use GitHub's private vulnerability reporting instead. It opens a private advisory channel between you and the maintainers.

If you can't use that channel, email security@baraniewski.com with:

• A clear description of the issue and its impact
• Steps to reproduce, or a proof-of-concept
• The version of OpenUsage where you observed it (openusage version)
• The platform and Go version (go version)
• Any suggested mitigation, if you have one

You'll get an acknowledgement within 3 business days, an initial assessment within 7 business days, and updates at least weekly until the issue is resolved or marked out of scope.

We follow a coordinated-disclosure model:

1. The reporter and maintainers privately scope the issue and produce a fix.
2. A patched release is published.
3. A GitHub Security Advisory is published with a CVE (if applicable) and credit to the reporter.
4. After 30 days the original report is made public, unless extended by mutual agreement.

Researchers acting in good faith are welcome and credited in the advisory unless they prefer otherwise.

In scope:

• The openusage binary, including the dashboard TUI, the daemon, and the integrations command
• Provider auth flows and any code that handles credentials, cookies, or session data
• The telemetry pipeline, SQLite store, and Unix-socket protocol
• The published Homebrew tap and release artifacts

Out of scope:

• Issues that require local access to a logged-in user's machine to exploit
• Reports against third-party providers' APIs (those go to the vendor)
• Theoretical issues with no demonstrated impact

This project participates in:

• GitHub Dependabot for dependency updates and security advisories
• GitHub CodeQL for static analysis
• govulncheck for Go-specific vulnerability scanning
• OpenSSF Scorecard for supply-chain hygiene
• Sigstore cosign keyless signing of release binaries (GitHub OIDC identity)

Release checksums are published alongside binaries on the releases page.