| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, use GitHub Security Advisories to report vulnerabilities privately.
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if you have one)
- Initial response: Within 48 hours
- Status update: Within 7 days
- Resolution target: Within 30 days for critical issues
- Code execution vulnerabilities
- Privilege escalation
- Secrets/credentials exposure
- Path traversal vulnerabilities
- Unsafe file operations (especially
/etc/hostsmodifications) - IPC protocol vulnerabilities
- Denial of service through resource exhaustion (CLI tool)
- Issues requiring physical access to the machine
- Social engineering attacks
- Issues in dependencies (report upstream, but let us know)
Flux follows these security principles:
- No hardcoded secrets: All credentials use environment variables or secure storage
- Minimal permissions: Uses systemd capabilities instead of sudo when possible
- Safe file operations: Validates paths and creates backups before modifications
- Input validation: Validates all user input and IPC messages