strivo is in alpha. Only the latest tagged release is supported with security fixes; older tags are not patched.

Please report security issues privately, not as a public GitHub issue.

Preferred channel: open a private security advisory on the repository. The advisory form lets us discuss and patch before the issue becomes public.

If that is unavailable to you, email slrevoy@mailbox.org with a subject line that starts with strivo security:.

• A description of the issue and the impact you believe it has.
• A minimal reproducer or proof-of-concept where possible.
• Affected strivo version, OS, and any relevant configuration.

• Acknowledgement within 7 days.
• A triage outcome (accepted / not-a-vulnerability / duplicate) within 14 days.
• Coordinated disclosure: once a fix is ready, we agree on a release date and only then make the advisory public.

• Issues in third-party tools strivo invokes (ffmpeg, mpv, streamlink, yt-dlp) — report those to the respective upstreams.
• Issues that require a malicious local user with shell access to your account, since they could already read your config and keyring.
• Plugin crashes from third-party cdylib plugins — see docs/PLUGIN-MANIFEST.md; third-party plugins are explicitly not recommended for end users in alpha.