39 lines
1.8 KiB
Markdown
39 lines
1.8 KiB
Markdown
### Responsible Disclosure Policy
|
|
|
|
At Flowise, we prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly. Your cooperation helps us better protect our platform and users.
|
|
|
|
### Out of scope vulnerabilities
|
|
|
|
- Clickjacking on pages without sensitive actions
|
|
- CSRF on unauthenticated/logout/login pages
|
|
- Attacks requiring MITM (Man-in-the-Middle) or physical device access
|
|
- Social engineering attacks
|
|
- Activities that cause service disruption (DoS)
|
|
- Content spoofing and text injection without a valid attack vector
|
|
- Email spoofing
|
|
- Absence of DNSSEC, CAA, CSP headers
|
|
- Missing Secure or HTTP-only flag on non-sensitive cookies
|
|
- Deadlinks
|
|
- User enumeration
|
|
|
|
### Reporting Guidelines
|
|
|
|
- Submit your findings to https://github.com/FlowiseAI/Flowise/security
|
|
- Provide clear details to help us reproduce and fix the issue quickly.
|
|
|
|
### Disclosure Guidelines
|
|
|
|
- Do not publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users.
|
|
- If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least **30 days in advance** for review.
|
|
- Avoid including:
|
|
- Data from any Flowise customer projects
|
|
- Flowise user/customer information
|
|
- Details about Flowise employees, contractors, or partners
|
|
|
|
### Response to Reports
|
|
|
|
- We will acknowledge your report within **5 business days** and provide an estimated resolution timeline.
|
|
- Your report will be kept **confidential**, and your details will not be shared without your consent.
|
|
|
|
We appreciate your efforts in helping us maintain a secure platform and look forward to working together to resolve any issues responsibly.
|