This project tracks the latest commit on master. Security fixes are applied there and released as a new minor/patch version.

If you find a security issue, please do not open a public GitHub issue. Instead, email the maintainer at dev@belenka.com with:

• A description of the issue
• Steps to reproduce, or a minimal proof of concept
• Your assessment of impact

Expect an initial response within 7 days.

In scope:

• Credential leakage (the bearer token, the Slack webhook URL, the VSHOSTING_PASSWORD env var).
• Command-injection or argument-handling bugs in the CLI.
• Issues that cause the notifier to spam Slack or hammer the vshosting API.

Out of scope:

• Issues in the upstream vshosting.cloud API itself — please report those directly to vshosting.
• Misconfiguration of a third-party webhook of your own.

• Treat SLACK_WEBHOOK_URL as a secret of equivalent sensitivity to a password — anyone with it can post to your Slack workspace.
• Do not commit .env. The repo's .gitignore excludes it, and a PreToolUse hook (.claude/hooks/block-secrets.sh) blocks AI assistants from reading it.
• Prefer a secret manager (Docker secrets, 1Password CLI, pass, AWS Secrets Manager, …) over a plaintext .env for production use.