We take security vulnerabilities seriously. If you discover a security issue in Termly CLI, please report it responsibly.
For security vulnerabilities, please DO NOT open a public GitHub issue.
Instead, please report security issues privately:
-
GitHub Security Advisory (preferred):
- Go to https://github.com/termly-dev/termly-cli/security/advisories/new
- Create a private security advisory
- Provide detailed information about the vulnerability
-
Email:
- Send to: hello@termly.dev
- Include "SECURITY" in the subject line
- Provide detailed steps to reproduce the issue
When reporting a vulnerability, please include:
- Description - Clear description of the vulnerability
- Impact - What could an attacker potentially do?
- Steps to reproduce - Detailed steps to verify the issue
- Affected versions - Which versions are impacted?
- Proposed fix - If you have suggestions
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Depends on severity
- Critical: 1-7 days (with forced update via version check)
- High: 7-14 days
- Medium: 14-30 days
- Low: 30-90 days
When security issues are fixed:
- We'll release a patch version immediately
- Update the CHANGELOG
- Credit the reporter (unless they prefer to remain anonymous)
- Publish a security advisory on GitHub
- For critical issues: Set minimum version on server to force all users to update
We only support the latest version.
| Version | Supported |
|---|---|
| Latest (1.3.x) | ✅ Yes |
| Older versions | ❌ No |
Important: Termly CLI includes automatic version checking. If your version is outdated and has known security issues, the CLI will block startup and require you to update.
To update to the latest version:
npm update -g @termly-dev/cliTermly CLI includes several security features:
- Algorithm: AES-256-GCM (authenticated encryption)
- Key Exchange: Diffie-Hellman (2048-bit MODP group)
- Key Derivation: HKDF-SHA256
- Session Keys: Unique per session, never reused
- Server cannot decrypt your data
- All encryption happens client-side (CLI and mobile app)
- Server only relays encrypted messages
- Both CLI and mobile app display encryption fingerprints
- Users can verify they match to prevent MITM attacks
- Fingerprint: First 8 bytes of SHA-256(shared_secret)
- CLI checks minimum supported version on startup
- Outdated versions are blocked from connecting
- Ensures users have latest security patches
- Each session uses unique encryption keys
- One mobile device per session (enforced)
- Sessions cannot interfere with each other
When using Termly CLI:
- Always verify fingerprints - Compare CLI and mobile fingerprints on first connection
- Keep CLI updated - Run
npm update -g @termly-dev/cliregularly - Secure your machine - CLI has access to your code and AI tools
- Use trusted networks - Avoid public WiFi for sensitive work
- Review session list - Run
termly statusto check active sessions - Clean up stale sessions - Run
termly cleanupperiodically
- Local Access - Anyone with access to your machine can access the CLI
- PTY Output - Terminal output is visible on the local machine
- No User Authentication - CLI doesn't authenticate users (relies on pairing codes)
- WebSocket Connection - Connection metadata (IP, timing) visible to server
- Node.js Dependencies - Security depends on npm package ecosystem
Termly CLI's cryptography implementation:
- Uses standard Node.js crypto module
- Follows NIST recommendations for key sizes
- Implementation details: See CRYPTO_SPEC.md
Status: Not yet audited by third-party security firm.
We welcome security researchers to review our implementation.
We follow responsible disclosure practices:
- You report the issue privately
- We confirm the issue and develop a fix
- We release the fix
- We publish the security advisory
- You receive credit (if desired)
We commit to:
- Keeping you informed throughout the process
- Crediting you appropriately
- Not taking legal action against security researchers acting in good faith
We don't currently have a formal bug bounty program, but we appreciate security research!
For significant findings, we're happy to:
- Credit you publicly (if desired)
- Send you Termly swag
- Buy you a coffee via Ko-fi
For security questions or concerns, contact: hello@termly.dev
For general support: https://github.com/termly-dev/termly-cli/issues
Last Updated: 2025-01-12