Do not open a public issue for security vulnerabilities.

Instead, please report vulnerabilities privately:

1. Go to the Security Advisories page
2. Click "Report a vulnerability"
3. Provide a clear description and reproduction steps

You will receive a response within 72 hours. If confirmed, a fix will be released as a patch version and credited in the changelog.

• CI runs actionlint and shellcheck on every push and PR
• All secrets are passed through env: blocks (masked by GitHub Actions) - never inlined in shell commands
• The wrapper script (~/.cloudflared-ssh) is created with chmod 700 - readable only by the owner
• SSH private keys are written with chmod 600
• The "Verify setup" step redacts all credentials in output using sed
• No telemetry, no analytics, no external calls - all processing stays on your runner
• Dependencies are monitored via Dependabot for GitHub Actions version updates
• Releases include source verification via git tags