overreach is a security tool, so its own trustworthiness matters. This document covers how to report a vulnerability and what guarantees the tool makes about its own behavior.

Please report security issues privately rather than opening a public issue. Use GitHub's private vulnerability reporting ("Report a vulnerability" under the repository's Security tab).

Include the version (overreach --version), the platform, and a minimal reproduction. Expect an acknowledgement within a few days; once a fix is available it will be released and the advisory published, with credit unless you prefer otherwise.

overreach is pre-1.0; only the latest release receives fixes.

These are the self-protections most relevant to a security review, each pinned by tests:

• Secrets are never echoed. A detected credential is reported by provider only ("Anthropic", "AWS"); the matched value never appears in human or JSON output. Detector rule messages are required to be static strings, and a canary test (rendered_output_never_echoes_a_credential_value) fails the build if a value ever leaks.
• "Clean" never means "didn't scan." Skipped paths (too large, non-UTF-8, unreadable) are surfaced as low-severity coverage-gap findings, and an unreadable entrypoint exits 2 rather than reporting a clean pass. See the README section of the same name.
• No network, no telemetry. overreach makes no outbound connections and writes nothing outside stdout/stderr. Its only runtime dependencies are regex, serde, and serde_json.
• Safe traversal. Symlinks are not followed mid-walk, so a hostile checkout can't redirect the scanner outside its root or loop forever. Individual files are capped at 8 MiB to bound memory on adversarial inputs.

overreach is a fast, regex-based first pass, not a sound analyzer. It favors recall ("look here") over precision and performs no taint tracking or data-flow analysis. A clean report means nothing matched the current ruleset — not that the code is safe. Treat findings as leads for human review.