Create SECURITY.md

SECURITY.md

@@ -0,0 +1,40 @@
+### Responsible Disclosure Policy  
+
+At Flowise, we prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly. Your cooperation helps us better protect our platform and users.  
+
+### Vulnerabilities  
+
+The following types of issues are some of the most common vulnerabilities:
+
+- Clickjacking on pages without sensitive actions  
+- CSRF on unauthenticated/logout/login pages  
+- Attacks requiring MITM (Man-in-the-Middle) or physical device access  
+- Social engineering attacks  
+- Activities that cause service disruption (DoS)  
+- Content spoofing and text injection without a valid attack vector  
+- Email spoofing  
+- Absence of DNSSEC, CAA, CSP headers  
+- Missing Secure or HTTP-only flag on non-sensitive cookies  
+- Deadlinks  
+- User enumeration  
+
+### Reporting Guidelines  
+
+- Submit your findings to https://github.com/FlowiseAI/Flowise/security
+- Provide clear details to help us reproduce and fix the issue quickly.  
+
+### Disclosure Guidelines  
+
+- Do not publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users.  
+- If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least **30 days in advance** for review.  
+- Avoid including:  
+  - Data from any Flowise customer projects  
+  - Flowise user/customer information  
+  - Details about Flowise employees, contractors, or partners  
+
+### Response to Reports  
+
+- We will acknowledge your report within **5 business days** and provide an estimated resolution timeline.  
+- Your report will be kept **confidential**, and your details will not be shared without your consent.
+  
+We appreciate your efforts in helping us maintain a secure platform and look forward to working together to resolve any issues responsibly.