The flexo team and IBM take security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
To report a security issue, please open a draft security advisory by visiting: https://github.com/ibm/flexo/security/advisories/new
Please DO NOT file a public issue for security vulnerabilities.
- Once you submit a vulnerability report, it will be reviewed within 5 business days
- We will acknowledge your report and provide an initial assessment
- We will work on reproducing and validating the issue
- Once validated, we will develop and test a fix
- A security advisory will be published and the fix will be released
- Credit will be given to the reporter (unless anonymity is requested)
We provide security updates for the latest minor version of the most recent major version.
Security fixes will be released as:
- Patch releases for critical vulnerabilities
- Part of regular releases for non-critical issues
We use automated dependency scanning to identify known vulnerabilities in our dependencies. Users should ensure they are using the latest compatible versions of all dependencies when deploying the project.