If you find a security issue, please open a private security advisory instead of a public issue.

Include:

• Description of the vulnerability
• Steps to reproduce
• Impact assessment

Drift FM is designed to run on a private network or behind a reverse proxy. The threat model assumes a trusted operator. Shell scripts (import, normalize) are run locally by the operator and are not exposed to network input.

Only the latest release on main is supported.