ncei-cpp is a third-party C++ client for NOAA's National Centers for Environmental Information APIs (the CDO API and the Data Service API). It carries an NCEI API token in CDOClient::Config::token and forwards it via the token HTTP header on every request. A vulnerability that mishandles the token or proxies credentials would leak the operator's NCEI quota and potentially their identity. This file is the canonical contact path for reporting one.

Security fixes are made on the latest published vX.Y.Z tag. Older tags are not back-patched — bump your FetchContent_Declare(... GIT_TAG ...) pin or your find_package(ncei-cpp X.Y.Z REQUIRED) constraint to the latest minor on the same major as part of the upgrade.

Do not open a public issue. Use GitHub's private vulnerability reporting flow, which delivers the report to the maintainer privately and tracks coordinated disclosure.

When reporting, please include:

• Affected version (tag or commit SHA)
• A reproduction — minimal code or test case
• Impact (credential leak / token misuse / DoS / something else)
• Whether you've notified anyone else (e.g. NOAA directly)

You can expect:

• Acknowledgement within 3 business days
• An initial assessment + severity rating within 7 business days
• A fix on a new vX.Y.Z+1 tag, or a clear timeline if the fix is larger

• Bugs against www.ncei.noaa.gov itself — those go to NOAA's own vulnerability program, not this client library.
• Operational issues (rate-limit handling, network blips) — file a regular issue.
• Theoretical issues against dependencies — report them upstream (openssl, libcurl, Glaze, googletest). We pin via FetchContent and bump on credible advisories.