reeln-plugin-cloudflare is pre-1.0 software. Security fixes are published against the latest release only. We recommend always running the most recent version from PyPI or the Releases page.

reeln-plugin-cloudflare is a reeln-cli plugin that uploads video clips and highlight files to Cloudflare R2 storage via the S3-compatible API. It runs inside reeln-cli on a livestreamer's local machine and makes outbound HTTPS requests to Cloudflare using R2 access keys stored on disk.

In-scope concerns include, but are not limited to:

• Leakage of R2 access key IDs, secret access keys, or account IDs via logs, error messages, cached responses, or saved state
• Insecure file permissions on the on-disk credential store
• Unsafe handling of presigned URLs — accidental logging, overly long expirations, or granting broader permissions than intended
• Path traversal in R2 object keys derived from user-supplied game metadata (team names, clip titles, roster strings)
• Unsafe deserialization of R2/S3 API responses or cached manifests
• Command injection or path traversal in upload staging directories or local artifact paths
• Dependency confusion or typosquatting on the PyPI package name

Out of scope:

• Vulnerabilities in Cloudflare R2 itself or in the upstream boto3 / botocore S3 client — report those to the respective upstream
• Vulnerabilities in reeln-cli or other reeln plugins — report those to the respective repository
• Issues that require an attacker to already have local code execution on the user's machine or access to the stored R2 credentials

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Report vulnerabilities using GitHub's private vulnerability reporting:

1. Go to the Security tab of this repository
2. Click "Report a vulnerability"
3. Fill in as much detail as you can: affected version, reproduction steps, impact, and any suggested mitigation

If you cannot use GitHub's reporting, email git-security@email.remitz.us instead.

A good report contains:

• The version of reeln-plugin-cloudflare, reeln-cli, and Python you tested against
• Your operating system and architecture (macOS / Windows / Linux, arch)
• Steps to reproduce the issue
• What you expected to happen vs. what actually happened
• The potential impact (credential leakage, unauthorized bucket access, presigned URL abuse, data loss, etc.)
• Any proof-of-concept code, if applicable

This plugin is maintained by a small team, so all timelines below are best-effort rather than hard guarantees:

• Acknowledgement: typically within a week of your report
• Initial assessment: usually within two to three weeks, including whether we consider the report in scope and our planned next steps
• Status updates: roughly every few weeks until the issue is resolved
• Fix & disclosure: coordinated with you. We aim to ship a patch release reasonably quickly for high-severity issues, with lower-severity issues addressed in a future release. Credit will be given in the release notes and CHANGELOG unless you prefer to remain anonymous.

If a report is declined, we will explain why. You are welcome to disagree and provide additional context.