Please report vulnerabilities privately to security@osodevops.io.

Do not open public issues for vulnerabilities, leaked credentials, token-handling flaws, or private Jira data exposure. Include clear reproduction steps, impact, affected versions, and any relevant redacted logs.

Security fixes target the latest released version and main.

jira-cli must not store Jira API tokens, OAuth access tokens, refresh tokens, client secrets, cookies, or private issue data in plaintext config files.

Expected behavior:

• API tokens are stored in the operating-system keyring when available.
• Encrypted file fallback is used only when keyring storage is unavailable.
• Config loading rejects plaintext token fields.
• Diagnostics, status output, debug curl output, and errors redact secrets.
• CI smoke tests use GitHub secrets and must not print token values.

We will acknowledge reports as soon as practical, assess severity, coordinate a fix, and agree on disclosure timing with the reporter.