The Firefly Framework team takes security seriously. We appreciate your efforts to responsibly disclose vulnerabilities and will make every effort to acknowledge your contributions.
| Version | Supported |
|---|---|
| 26.02.x | ✅ |
| < 26.02.0 | ❌ |
Only the latest CalVer release line receives security patches. If you are running an older version, please upgrade before reporting.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, send an email to:
Include the following information in your report:
- Description -- A clear description of the vulnerability.
- Affected component -- The module, class, or endpoint involved.
- Reproduction steps -- Detailed steps to reproduce the issue.
- Impact assessment -- Your understanding of the potential impact (e.g., data exposure, denial of service, remote code execution).
- Proof of concept -- Code, screenshots, or logs that demonstrate the vulnerability (if available).
- Your environment -- Firefly version, Java version, operating system, and any relevant configuration.
Please encrypt sensitive reports using our PGP key if available (contact us for the key).
| Stage | Timeframe |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix for critical issues | Within 7 days |
For non-critical issues, fixes will be included in the next scheduled release. We will keep you informed of our progress throughout the process.
We follow a coordinated disclosure policy:
- Reporter submits the vulnerability via email.
- We acknowledge receipt and begin our assessment.
- We develop and test a fix in a private branch.
- We release the patch and publish a security advisory on GitHub.
- Public disclosure occurs after the patch is available, typically within 90 days of the initial report. We will coordinate the disclosure timeline with you.
We ask that you:
- Do not disclose the vulnerability publicly until a fix has been released and users have had reasonable time to update.
- Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
- Do not access, modify, or delete data belonging to other users.
We believe in recognizing the security community's contributions. With your permission, we will:
- Credit you by name (or alias) in the security advisory.
- Include your name in our release notes for the patched version.
- Add you to our Security Hall of Fame (if established).
If you prefer to remain anonymous, we will respect that preference.
Thank you for helping keep Firefly Framework and its users safe.