We take the security of M-flow seriously. If you discover a security vulnerability, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please use one of the following methods:

1. GitHub Security Advisories (preferred): Navigate to the Security tab of this repository and click "Report a vulnerability."

2. Email: Send a detailed report to contact@xinliuyuansu.com.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 5 business days
• Resolution target: Within 30 days for critical issues

The following are in scope:

• M-flow backend (m_flow/)
• M-flow frontend (m_flow-frontend/)
• M-flow MCP server (m_flow-mcp/)
• Official Docker images
• Dependencies with known CVEs affecting M-flow

We appreciate responsible disclosure. Contributors who report valid security issues will be acknowledged in the release notes (unless they prefer to remain anonymous).