We take the security of FlareCode and our users' code seriously.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, email [email protected] with:
- A description of the issue and its potential impact
- Steps to reproduce (proof-of-concept welcome)
- Any relevant logs, URLs, or screenshots (never include real secrets or third-party data)
We aim to acknowledge reports within 48 hours and will keep you updated as we investigate and fix. Please give us a reasonable window to remediate before any public disclosure.
In scope: flarecode.sh, app.flarecode.sh, the API, and the agent sandbox environment.
Out of scope: social-engineering, physical attacks, volumetric DoS, and findings that require a compromised user device or browser.
- Minimal GitHub App scopes (
contents,pull_requests,metadata,actions) — neveradmin:orgordelete:repo. - Secrets are injected at runtime, never persisted, and never written into model context.
- Log streams are scrubbed for known secret patterns; source code is not retained in logs.
More detail: https://flarecode.sh/security