We take security seriously. If you discover a security vulnerability in Polis CLI, please report it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please email security concerns to: vdibart@duck.com

Include the following in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Any suggested fixes (optional)

• Acknowledgment: We will acknowledge receipt of your report within 48 hours
• Updates: We will provide updates on our progress within 7 days
• Resolution: We aim to resolve critical vulnerabilities within 30 days
• Credit: With your permission, we will credit you in the security advisory

This security policy applies to:

• The polis CLI script (cli/bin/polis)
• The polis-tutorial script (cli/bin/polis-tutorial)
• Associated configuration and metadata files

• Issues in third-party dependencies (please report to the respective projects)
• Social engineering attacks
• Denial of service attacks

1. Verify downloads: Always verify the SHA256 checksum after downloading

   cd cli/bin
   sha256sum -c polis.sha256

2. Protect your keys: Your Ed25519 private key in .polis/keys/ should never be shared

3. Use HTTPS: Always use HTTPS URLs for your POLIS_BASE_URL

4. Review before blessing: Always preview comments before blessing them

   polis preview <comment-url>