Security fixes are expected to land on the latest version on main.

Please do not open a public GitHub issue for sensitive security problems.

Report vulnerabilities privately through GitHub Security Advisories if enabled for the repository. If that is not available, contact the maintainer directly through a private channel and include:

• a clear description of the issue
• impact and attack scenario
• steps to reproduce
• any proof of concept or logs that are safe to share

Relevant security topics for this project include:

• accidental exposure of App Store Connect credentials
• unsafe handling of .p8 private keys
• command injection risk in CLI input handling
• insecure logging of request bodies or secrets
• unsafe automation defaults for write operations

• never commit real App Store Connect .p8 keys
• prefer environment variables for CI secrets
• use least-privilege App Store Connect API keys
• review raw write operations carefully before running them in automation