Skip to content

Security: flui-cloud/vops

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you believe you have found a security vulnerability in any project under the flui-cloud organization, please report it privately. Do not open a public GitHub issue for security problems.

Two equivalent channels are accepted:

  1. Email: send the details to security@flui.cloud.
  2. GitHub private advisory: use the Security → Report a vulnerability tab on the affected repository (when enabled).

Please include:

  • A description of the issue and the project / version affected.
  • Steps to reproduce, if possible a minimal proof of concept.
  • The impact you anticipate (data exposure, RCE, privilege escalation, denial of service, etc.).
  • Any suggested mitigation, if you have one.

What to expect

  • Acknowledgement of your report within 5 business days.
  • An initial assessment and severity rating shared with you.
  • Fixes prioritized according to severity. Critical issues get a coordinated disclosure plan; lower-severity issues are folded into the regular release cadence.
  • Credit in the published advisory, unless you prefer to remain anonymous.

Supported versions

Each repository's README documents which versions are currently maintained. As a default, only the latest minor release line of each project receives security fixes.

Out of scope

  • Vulnerabilities in third-party dependencies that have not yet been patched upstream — please report those to the upstream project. We will track and roll forward once a fix is available.
  • Findings from automated scanners without a demonstrated impact.
  • Social engineering of project maintainers.

There aren't any published security advisories