If you discover a security vulnerability in td, please report it responsibly.

Do not open a public GitHub issue.

Instead, use GitHub's private vulnerability reporting to submit your report. You'll receive a response within 7 days.

Security issues for this project include:

• Token exposure — API tokens leaked in logs, output, or error messages
• Config file permissions — insecure default permissions on ~/.config/td/config.toml
• Command injection — user input passed unsafely to shell commands
• Dependency vulnerabilities — known CVEs in direct dependencies

• Feature requests or general bugs (use GitHub Issues)
• Todoist API vulnerabilities (report to Doist)