We take security seriously. The following versions of GrantFlow are currently supported with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
If you discover a security vulnerability in GrantFlow, please report it responsibly to [email protected] instead of using the public issue tracker. This allows us to address the vulnerability before it becomes public knowledge.
To help us understand and address the vulnerability quickly, please include:
- Description: Clear explanation of the security issue
- Type: Classification (e.g., SQL injection, XSS, authentication bypass, data exposure, etc.)
- Location: Affected component(s) or file(s)
- Steps to Reproduce: Detailed instructions to confirm the vulnerability
- Impact Assessment: Potential impact on security (e.g., data exposure, privilege escalation, denial of service)
- Proof of Concept: If applicable, minimal code or steps demonstrating the vulnerability
- Your Contact Information: Email address and optional PGP public key for secure communication
We are committed to responding to security vulnerabilities promptly:
- Initial Response: Within 24 hours of report submission
- Status Updates: Every 3-5 business days
- Target Fix: Within 7-14 days for critical vulnerabilities
- Disclosure: Coordinated disclosure with your input on timing
- Store Securely: Never commit API keys, tokens, or credentials to version control
- Rotate Regularly: Implement a key rotation schedule
- Least Privilege: Use API keys with minimal required permissions
- Monitor Usage: Regularly review and audit API key usage
- Use a
.envfile for local development (add to.gitignore) - Never include
.envfiles in the repository - Use environment variable management tools for production environments
- Rotate secrets regularly
- Audit environment variable access
- Keep dependencies up to date with latest security patches
- Run regular dependency audits:
- Python:
pip audit - Node.js:
npm auditorpnpm audit
- Python:
- Review security advisories for critical dependencies
- Subscribe to security advisories for projects you depend on
- Use lock files to ensure consistent, audited versions
- Enable two-factor authentication (2FA) on all accounts
- Use strong, unique passwords
- Keep your operating system and development tools updated
- Review code changes before merging to main/development branches
- Use HTTPS for all communications with GrantFlow services
- Report suspicious activity immediately
For detailed information about GrantFlow's security architecture, threat modeling, and implementation details, see /docs/security-architecture.md.
When we fix a reported vulnerability:
- We will create a private security advisory
- We will coordinate with the reporter on disclosure timing (typically 30-90 days)
- We will publish a public security advisory with the fix
- We will credit the reporter in the advisory (unless they request anonymity)
Our security policy covers:
- Core GrantFlow application
- Official packages and libraries (in
/packages/) - Backend services (in
/services/) - Infrastructure as Code (in
/terraform/)
Third-party dependencies are subject to their own security policies. Please report third-party vulnerabilities to the respective project maintainers.
Thank you for helping us keep GrantFlow secure.