We take the security of otari seriously. If you believe you have found a security vulnerability in otari-cli, please report it to us privately.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, please use one of the following channels:

• Open a private GitHub Security Advisory on this repository, or
• Email security@mozilla.ai with the details.

Please include as much of the following as you can:

• The type of issue (e.g. credential leakage, authentication/authorization flaw, injection, etc.).
• The affected component and version/commit.
• Step-by-step instructions to reproduce, and a proof-of-concept if available.
• The impact of the issue, including how an attacker might exploit it.

Test only against your own self-hosted instance. Do not run scans or send exploit traffic against any mozilla.ai-operated infrastructure.

• We will acknowledge receipt of your report within a few business days.
• We will investigate and keep you informed of our progress.
• Once a fix is available, we will coordinate a disclosure timeline with you and credit you in the advisory (unless you prefer to remain anonymous).