MavMeta is in pre-1.0 development. Only the current release receives security fixes.

Please do not open a public GitHub issue for security vulnerabilities.

Email a description to j.p.richter@gmail.com with:

• a clear description of the issue,
• reproduction steps or a proof of concept,
• the affected version (commit SHA or release tag), and
• the impact you believe the issue has.

If you would like to encrypt your report, request a PGP key in your first message and one will be provided.

• Acknowledgement: within 7 days of receipt.
• Triage and initial assessment: within 14 days.
• Fix target: within 90 days of the acknowledged report.

If a fix will take longer than 90 days, the reporter will be notified with a revised timeline and the reasoning.

Disclosure happens at whichever comes first:

• 90 days after the report was acknowledged, or
• the release that ships the fix.

Reporters are credited in the release notes unless they request otherwise.

In scope:

• The MavMeta local server (src/server/) and its HTTP surface.
• The MavMeta frontend bundle served from that local server.
• The packaged release artifacts on GitHub.

Out of scope:

• Vulnerabilities in Salesforce itself or in the sf CLI — please report those upstream.
• Issues that require an attacker to already have local code-execution privileges on the user's machine equivalent to the MavMeta process (MavMeta is a local-machine tool; we assume the local user is trusted).

• Security model and threat model