| Version | Supported |
|---|---|
| Latest release | Yes |
| Older releases | No |
If you discover a security vulnerability in Lark CLI, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email: security@graycodeai.com
Include the following in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours of your report
- Status update within 7 days with an initial assessment
- Resolution target within 30 days for confirmed vulnerabilities
- Credit in the release notes (unless you prefer to remain anonymous)
The following are in scope:
- Authentication and token handling in
lark-cli - Credential storage (
~/.config/lark-cli/config.json) - HTTP client behavior (TLS, header injection, SSRF)
- Dependency vulnerabilities in Go modules
The following are out of scope:
- The Lark server itself (report separately to lark-core)
- Social engineering attacks
- Denial of service against the CLI itself
- Never commit your
config.jsonor API tokens to version control - Use short-lived tokens when possible
- Run
lark-cli logoutwhen finished on shared machines - Keep
lark-cliupdated to the latest release