If you discover a security vulnerability in outlook-cli, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities.
- Email: Report the vulnerability via GitHub Security Advisories (preferred) or contact the maintainers directly.
- Include: A description of the vulnerability, steps to reproduce, and the potential impact.
We will acknowledge receipt within 48 hours and provide a timeline for a fix.
| Version | Supported |
|---|---|
| 2.x (current) | ✅ Security updates |
| 1.x | ❌ No longer supported |
The following are in scope for security reports:
- Token theft or credential exposure
- Scope escalation (bypassing forbidden scope enforcement)
- Encryption weaknesses (AES-256-GCM implementation, key derivation)
- Authentication bypass (PKCE, token validation)
- Path injection in Graph API calls
- Sensitive data exposure in logs, telemetry, or error messages
The following are not in scope:
- Issues in Microsoft Graph API itself (report to Microsoft Security Response Center)
- Issues in MSAL libraries (report to Microsoft Identity team)
- Denial of service via normal CLI usage (rate limiting is handled by Graph API)
- Social engineering attacks
For a comprehensive overview of the security architecture, see:
docs/SECURITY.md— Security model summarydocs/SECURITY-DESIGN.md— Full enterprise security design document with threat model, STRIDE analysis, and compliance mappings