This policy applies to the Flamingock Community Edition and open-source client library.
For customers using the Cloud Edition, security issues are handled through our internal support and SLA channels.
As of the first release (v1.0.0), only the latest stable version of the client library is officially supported for security fixes.
Older versions may continue to work, but we do not commit to backporting fixes unless otherwise stated.
We’ll update this section once long-term support (LTS) versions are defined.
We take security seriously and appreciate responsible disclosures.
If you discover a security issue, please report it via one of the following:
- GitHub Security Advisories (preferred): Submit a report
- Email: Send details to
[email protected]
Please do not create public GitHub issues for security-related topics.
To help us respond quickly and accurately, include the following:
- A clear summary of the vulnerability
- A proof-of-concept (code samples required; optional reproduction video)
- A description of the impact and what the vulnerability can access
- Optionally, an estimated CVSS 3.1 score
We aim to acknowledge valid reports within 72 hours and fix confirmed issues as soon as possible, depending on complexity and severity.
Once a vulnerability is confirmed:
- A fix will be developed and tested internally
- A patch will be published in a new release
- A public security advisory will be issued
- Detailed disclosure may follow after a short delay to allow users to upgrade
If a CVE is warranted, we will request and publish one through GitHub's CVE issuance system.
- CVEs: We may issue CVEs for confirmed vulnerabilities, depending on severity and scope.
- Credit: With your permission, we are happy to acknowledge researchers or reporters publicly (e.g., changelog, advisory, or blog post).
- This policy applies only to the open-source client library.
- Vulnerabilities affecting the Cloud Edition are handled privately with customers under appropriate support agreements.
- Flamingock does not currently offer bounties or paid rewards for vulnerability reports.
Thank you for helping us keep Flamingock safe for everyone!