DO NOT open a public GitHub issue for security vulnerabilities.

Please report security vulnerabilities via one of the following channels:

• Email: security@elnora.ai
• GitHub Security Advisories: Report a vulnerability

Include as much detail as possible:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgement: Within 48 hours of report
• Initial assessment: Within 5 business days
• Fix and disclosure: Within 90 days of report

We follow a 90-day disclosure timeline. We ask that you:

• Allow us reasonable time to fix the issue before public disclosure
• Do not access or modify other users' data
• Do not perform actions that could negatively impact other users
• Act in good faith to avoid privacy violations, data destruction, and service disruption

In scope:

• The Elnora CLI code in this repository
• The Elnora API as accessed through CLI commands

Out of scope:

• Third-party dependencies (please report to their respective maintainers)
• Social engineering attacks against Elnora staff
• Denial of service attacks
• Issues in services not operated by Elnora

• Never commit API keys or tokens to version control
• Use environment variables or a .env file (gitignored) for credentials
• Rotate keys periodically via the Elnora dashboard