Currently, security updates are provided for the following versions:

If you discover a security vulnerability, please do not submit a public issue.

1. Send an email to security@yflow.io
2. Include the following information:
   • Description of the vulnerability
   • Affected versions
   • Steps to reproduce (if applicable)
   • Potential impact
   • Suggested fix (if available)

• We will acknowledge receipt within 48 hours
• We will assess the vulnerability and determine a response plan within 7 days
• We will notify you when a fix is available
• We will credit your contribution in the security advisory (unless you request anonymity)

When releasing security updates, we will:

1. Publish a new release on GitHub
2. Mark security fixes in the release notes
3. Advise users to upgrade to the secure version promptly

• Keep your YFlow instance updated to the latest version
• Never commit configuration files with sensitive information to public repositories
• Use strong passwords and enable two-factor authentication (if supported)
• Regularly review access logs and user activity

• Follow secure coding practices
• Validate and sanitize all user input
• Use parameterized queries to prevent SQL injection
• Keep dependencies up to date
• Review code for security issues during pull requests

Before deploying to production, ensure:

• Change the default admin password
• Set strong password policies
• Enable HTTPS
• Configure firewall rules
• Rate-limit API access
• Regularly back up the database
• Configure log monitoring
• Set environment variables instead of hardcoding sensitive information

Make sure the following sensitive information is configured via environment variables:

# Database
DB_ROOT_PASSWORD
DB_PASSWORD

# JWT
JWT_SECRET
JWT_REFRESH_SECRET

# CLI
CLI_API_KEY

• Security issues: security@yflow.io
• General questions: GitHub Issues

Thank you for helping keep YFlow secure!