We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT open a public issue for security vulnerabilities
2. Email security concerns to: security@conflow.dev (or create a confidential issue)
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours of your report
• Initial Assessment: Within 7 days
• Resolution Timeline: Depends on severity
  • Critical: 24-48 hours
  • High: 7 days
  • Medium: 30 days
  • Low: 90 days

• We follow coordinated disclosure
• We will credit reporters (unless anonymity is requested)
• We aim to fix vulnerabilities before public disclosure

• All releases are built with cargo build --release
• Dependencies are audited using cargo audit
• Binary stripping enabled to reduce attack surface

• Dependencies are pinned via Cargo.lock
• Minimal dependency footprint
• No runtime network access required (offline-first design)

• Written in Rust for memory safety
• No unsafe blocks in core functionality
• Input validation on all user-provided data
• Path traversal protection in file operations

conflow is designed with security-conscious defaults:

• No automatic code execution without explicit pipeline definition
• Cache is local-only (no network sync)
• No telemetry or data collection
• Sandboxed execution where possible

conflow requires:

• Read access to configuration files
• Write access to output directories and cache
• Execute access for CUE and Nickel binaries

• Pipeline definitions can execute arbitrary shell commands via the shell tool type
• Users should review .conflow.yaml files from untrusted sources before running

• Primary: security@conflow.dev
• GitLab Issues: Use confidential issue feature
• PGP Key: Available upon request

We thank all security researchers who responsibly disclose vulnerabilities.