Skip to content

Security: flarecode-sh/flarecode

Security

SECURITY.md

Security Policy

We take the security of FlareCode and our users' code seriously.

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, email [email protected] with:

  • A description of the issue and its potential impact
  • Steps to reproduce (proof-of-concept welcome)
  • Any relevant logs, URLs, or screenshots (never include real secrets or third-party data)

We aim to acknowledge reports within 48 hours and will keep you updated as we investigate and fix. Please give us a reasonable window to remediate before any public disclosure.

Scope

In scope: flarecode.sh, app.flarecode.sh, the API, and the agent sandbox environment.

Out of scope: social-engineering, physical attacks, volumetric DoS, and findings that require a compromised user device or browser.

Our commitments to you

  • Minimal GitHub App scopes (contents, pull_requests, metadata, actions) — never admin:org or delete:repo.
  • Secrets are injected at runtime, never persisted, and never written into model context.
  • Log streams are scrubbed for known secret patterns; source code is not retained in logs.

More detail: https://flarecode.sh/security

There aren't any published security advisories