Please report security vulnerabilities to security@taskflow.io. Do not open public issues for security bugs.

We aim to respond within 48 hours and provide a fix within 30 days for critical issues.

The following security issues are tracked and scheduled for remediation:

• SQL injection in task list ordering (priority: critical)
• JWT none algorithm accepted (priority: critical)
• Debug endpoint exposes secrets without auth (priority: critical)
• SSRF in webhook registration (priority: high)
• Timing oracle in login endpoint (priority: medium)
• Missing rate limiting (priority: medium)

We use the following tools for security analysis:

• bandit - Python static analysis for security issues
• pip-audit - Dependency vulnerability scanning
• semgrep - Custom security rules