# Security policy

Thanks for taking the time to look at this. This tool authenticates against
BMCs over SSH and HTTPS, runs commands as the chosen user, and writes their
output to disk — so vulnerability reports are very welcome.

## Supported versions

Only the latest tagged release on GitHub is supported. Older versions will
not get fixes; please upgrade first.

## How to report a vulnerability

**Please do not open a public issue** for security-sensitive findings.

Use GitHub's private security advisories: go to the
[Security tab](../../security/advisories/new) of this repo and click
"Report a vulnerability". GitHub will route it privately.

Please include:
- The version you tested (the startup banner is enough).
- Steps to reproduce.
- An assessment of impact.

Reports are reviewed and addressed on a best-effort basis. A fix and a public
advisory will be published once the issue is resolved. Reporters are credited
unless they prefer to stay anonymous.

## Out of scope

- Issues that require the attacker to already control the host or the BMC.
- Behaviour with explicitly broken credentials.