From dc8112d4f0dcc8f19f83af86d5392ea02c93814b Mon Sep 17 00:00:00 2001 From: Henry Heng Date: Thu, 30 Jan 2025 09:42:22 +0000 Subject: [PATCH] Create SECURITY.md --- SECURITY.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..8d7455de903 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,40 @@ +### Responsible Disclosure Policy + +At Flowise, we prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly. Your cooperation helps us better protect our platform and users. + +### Vulnerabilities + +The following types of issues are some of the most common vulnerabilities: + +- Clickjacking on pages without sensitive actions +- CSRF on unauthenticated/logout/login pages +- Attacks requiring MITM (Man-in-the-Middle) or physical device access +- Social engineering attacks +- Activities that cause service disruption (DoS) +- Content spoofing and text injection without a valid attack vector +- Email spoofing +- Absence of DNSSEC, CAA, CSP headers +- Missing Secure or HTTP-only flag on non-sensitive cookies +- Deadlinks +- User enumeration + +### Reporting Guidelines + +- Submit your findings to https://github.com/FlowiseAI/Flowise/security +- Provide clear details to help us reproduce and fix the issue quickly. + +### Disclosure Guidelines + +- Do not publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users. +- If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least **30 days in advance** for review. +- Avoid including: + - Data from any Flowise customer projects + - Flowise user/customer information + - Details about Flowise employees, contractors, or partners + +### Response to Reports + +- We will acknowledge your report within **5 business days** and provide an estimated resolution timeline. +- Your report will be kept **confidential**, and your details will not be shared without your consent. + +We appreciate your efforts in helping us maintain a secure platform and look forward to working together to resolve any issues responsibly.