We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT create a public GitHub issue for security vulnerabilities.

2. Email: Send a detailed report to the maintainer via GitHub private message or create a private security advisory.

3. GitHub Security Advisory: You can also report vulnerabilities through GitHub's Security Advisory feature.

Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if any)
• Your contact information for follow-up questions

• Initial Response: Within 48 hours of receiving the report
• Status Update: Within 7 days with our assessment
• Resolution: We aim to resolve critical vulnerabilities within 30 days

• We will acknowledge receipt of your vulnerability report
• We will investigate and validate the issue
• We will work on a fix and coordinate disclosure
• We will credit you in the release notes (unless you prefer to remain anonymous)

This security policy applies to:

• The cltree binary and its source code
• Dependencies used by the project

• Vulnerabilities in Claude Code CLI itself (report to Anthropic)
• Issues in third-party dependencies should be reported to those projects directly, though we appreciate being notified so we can update

• Always download releases from official sources (GitHub releases or crates.io)
• Verify checksums when available
• Keep your installation up to date
• Be cautious when running cltree in directories with untrusted content

Thank you for helping keep cltree secure!