The arduino-cli-interactive (aci) team takes security seriously. We appreciate your efforts to responsibly disclose your findings.
If you discover a security vulnerability in arduino-cli-interactive, please report it privately:
- DO NOT open a public GitHub issue for security vulnerabilities
- Email: write2vaichu@gmail.com with subject line:
[SECURITY] Brief description - Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
- Your contact information (optional, for follow-up)
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48-72 hours
- Updates: We will send you regular updates on our progress
- Timeline: We aim to provide a fix within 7-14 days for critical issues
- Credit: With your permission, we will credit you in the security advisory
We provide security updates for the following versions:
| Version | Supported | Status |
|---|---|---|
| 1.2.x | ✅ Yes | Active development |
| 1.1.x | Maintenance mode | |
| 1.0.x | ❌ No | End of life |
| < 1.0 | ❌ No | End of life |
Recommendation: Always use the latest version for the best security and features.
When using arduino-cli-interactive:
-
Keep Updated: Regularly update to the latest version
brew upgrade aci # if installed via Homebrew -
Verify Sources: Only install from official sources:
- Official Homebrew tap:
vaishnav-sabari-girish/arduino-cli-interactive - Official GitHub: https://github.com/Vaishnav-Sabari-Girish/arduino-cli-interactive
- Official Codeberg: https://codeberg.org/Vaishnav-Sabari-Girish/arduino-cli-interactive
- Official Homebrew tap:
-
Review Scripts: If installing from source, review the code before running
-
Permissions: The tool requires permissions to:
- Access serial ports (for Arduino communication)
- Read/write files in your home directory (for configuration)
- Execute arduino-cli commands
-
GitHub Token: If using update notifications with
ACI_GITHUB_TOKEN:- Use a token with minimal permissions (only
reporead access) - Never commit tokens to version control
- Rotate tokens regularly
- Use a token with minimal permissions (only
When contributing code:
-
Input Validation: Always validate user inputs
# Good: Validate before use if [[ ! "$port" =~ ^[a-zA-Z0-9/_-]+$ ]]; then echo "Invalid port format" return 1 fi
-
Command Injection: Avoid executing arbitrary user input
# Bad: Direct command execution eval "$user_input" # Good: Validated and sanitized if [[ "$user_input" == "upload" ]]; then arduino-cli upload ... fi
-
File Path Safety: Sanitize file paths
# Good: Prevent directory traversal sketch_path="${sketch_path//..\/}"
-
Sensitive Data: Never log or store sensitive information
- API tokens
- User credentials
- Personal information
-
Dependencies: Keep dependencies updated
- arduino-cli
- gum
- timer
-
Code Review: Security-sensitive changes require thorough review
- The tool requires access to serial ports to communicate with Arduino boards
- This is normal behavior for Arduino development tools
- The tool does not access other USB devices or system resources
- Configuration stored in user's home directory (
~/.acior similar) - Sketches compiled in temporary directories
- No system-wide files are modified
- No data is transmitted externally
The tool executes these external commands:
arduino-cli- Arduino command-line interfacegum- Terminal UI frameworktimer- Progress bar tool- Standard Unix tools:
sed,awk,grep, etc.
All external commands are from trusted sources and installed by the user.
- arduino-cli may download:
- Board cores from Arduino repositories
- Libraries from Arduino Library Manager
- Updates from official Arduino sources
- No user data is transmitted to external servers
- Update notifications (if enabled) check GitHub API for new releases
When a security vulnerability is confirmed:
- Assessment: We assess the severity and impact
- Fix Development: A fix is developed and tested privately
- Testing: The fix is tested across supported platforms
- Release: A new version is released with the security fix
- Notification: Users are notified via:
- GitHub Security Advisories
- Release notes
- README updates
- Disclosure: Public disclosure after fix is available
We use the following severity levels:
- Remote code execution
- Privilege escalation
- Data exfiltration
Response: Immediate fix within 24-48 hours
- Local code execution via crafted input
- Unauthorized file access
- Denial of service
Response: Fix within 7 days
- Information disclosure
- Input validation bypass
Response: Fix within 14 days
- Minor information leaks
- Non-security bugs with security implications
Response: Fix in next regular release
We follow responsible disclosure practices:
- Private Reporting: Security issues reported privately first
- Fix First: Security fixes released before public disclosure
- Coordinated Disclosure: Public disclosure coordinated with fix release
- Credit: Researchers credited in security advisories (with permission)
We ask security researchers to:
- Report vulnerabilities privately
- Give us reasonable time to fix issues before public disclosure
- Not exploit vulnerabilities for malicious purposes
We recognize security researchers who help improve our security:
No security vulnerabilities have been reported yet.
- Security Issues: write2vaichu@gmail.com
- General Questions: GitHub Discussions
- Bug Reports: GitHub Issues
Last Updated: 2026-02-15
Thank you for helping keep arduino-cli-interactive secure! 🔒