If you discover a security vulnerability in releaserun-cli, please report it responsibly:

1. Do not open a public issue
2. Email security@releaserun.com with details
3. Include steps to reproduce if possible
4. We'll respond within 48 hours

releaserun-cli runs locally and makes outbound API calls to:

• endoflife.date (EOL data)
• osv.dev (vulnerability data)

No user data is collected or transmitted. All scanning happens locally.