The FlowDocs team takes security seriously. If you discover a security vulnerability, please report it responsibly.

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please report security issues by:

1. GitHub Security Advisories (Preferred):

   • Go to our Security Advisories page
   • Click "Report a vulnerability"
   • Fill out the form with details

2. Email:

   • Send details to: security@flowdocs.com
   • Use PGP encryption if possible (key available on request)

When reporting a security vulnerability, please include:

• Description: Clear description of the vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue
• Impact: Assessment of the potential impact
• Affected Versions: Which versions are affected
• Suggested Fix: If you have ideas for fixing the issue
• Your Contact Info: So we can follow up with questions

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 5 business days
• Regular Updates: At least weekly until resolved
• Resolution: Varies based on complexity and severity

We believe in recognizing security researchers who help make FlowDocs safer:

• Hall of Fame: Recognition in our security acknowledgments
• CVE Credit: Proper attribution for discovered vulnerabilities
• Direct Communication: Work directly with our security team

• Code Reviews: All code changes require review
• Dependency Scanning: Automated scanning for vulnerable dependencies
• Static Analysis: Automated security analysis of code
• Type Safety: TypeScript for type safety and error prevention

• HTTPS Only: All communications encrypted
• Authentication: Secure user authentication via Clerk
• Authorization: Role-based access control
• Input Validation: All user inputs validated and sanitized
• Rate Limiting: Protection against abuse
• Security Headers: Appropriate security headers configured

• Encryption: Data encrypted in transit and at rest
• Access Controls: Principle of least privilege
• Audit Logs: Security-relevant actions logged
• Data Minimization: Only collect necessary data
• Regular Backups: Secure backup procedures

• Input Validation: Always validate and sanitize user inputs
• SQL Injection: Use parameterized queries
• XSS Prevention: Sanitize outputs and use Content Security Policy
• CSRF Protection: Use CSRF tokens for state-changing operations
• Authentication: Never store passwords in plain text
• Authorization: Always check permissions before actions

• Keep Updated: Regularly update dependencies
• Audit Packages: Review new dependencies for security issues
• Minimal Dependencies: Only add necessary dependencies
• Security Scanning: Use tools like npm audit

• Environment Variables: Never commit secrets to version control
• API Keys: Rotate API keys regularly
• Development vs Production: Separate development and production environments
• Access Control: Limit access to production systems

• Client-side API Keys: Some API keys are necessarily exposed on the client side (Clerk, Liveblocks public keys)
• Real-time Data: Real-time collaboration requires careful access control management

• Public Key Design: Services are designed to work safely with public keys
• Server-side Validation: All critical operations validated server-side
• Access Control: Granular permissions system in place

• Account Security: Use strong, unique passwords
• Two-Factor Authentication: Enable 2FA when available
• Suspicious Activity: Report any suspicious activity immediately
• Data Sharing: Be cautious about what data you share in documents

• OWASP Guidelines: Follow OWASP security guidelines
• Security Training: Stay updated on security best practices
• Code Review: Participate in security-focused code reviews
• Threat Modeling: Consider security implications of new features

1. Assessment: Evaluate severity and impact
2. Fix Development: Develop and test security fixes
3. Review: Security team reviews all fixes
4. Deployment: Deploy fixes to production
5. Notification: Notify users of security updates

• Security Advisories: Published for significant vulnerabilities
• Release Notes: Security fixes mentioned in release notes
• User Notifications: Direct notifications for critical issues

We welcome security research and responsible disclosure:

• Responsible Disclosure: Follow responsible disclosure practices
• No Harm: Don't cause damage or access user data unnecessarily
• Good Faith: Research conducted in good faith
• Compliance: Follow applicable laws and regulations

• Timely Response: Respond promptly to reports
• Fair Treatment: Treat researchers with respect
• No Legal Action: No legal action for good faith research
• Public Recognition: Credit researchers (if desired)

• Security Email: security@flowdocs.com
• General Contact: support@flowdocs.com
• GitHub Security: Use GitHub Security Advisories

Last Updated: January 2025
Next Review: April 2025

This security policy is regularly reviewed and updated to reflect current best practices and threats.