If you believe you have found a security vulnerability in any project
under the flui-cloud organization,
please report it privately. Do not open a public GitHub issue for
security problems.
Two equivalent channels are accepted:
- Email: send the details to security@flui.cloud.
- GitHub private advisory: use the Security → Report a vulnerability tab on the affected repository (when enabled).
Please include:
- A description of the issue and the project / version affected.
- Steps to reproduce, if possible a minimal proof of concept.
- The impact you anticipate (data exposure, RCE, privilege escalation, denial of service, etc.).
- Any suggested mitigation, if you have one.
- Acknowledgement of your report within 5 business days.
- An initial assessment and severity rating shared with you.
- Fixes prioritized according to severity. Critical issues get a coordinated disclosure plan; lower-severity issues are folded into the regular release cadence.
- Credit in the published advisory, unless you prefer to remain anonymous.
Each repository's README documents which versions are currently maintained. As a default, only the latest minor release line of each project receives security fixes.
- Vulnerabilities in third-party dependencies that have not yet been patched upstream — please report those to the upstream project. We will track and roll forward once a fix is available.
- Findings from automated scanners without a demonstrated impact.
- Social engineering of project maintainers.