Please report security issues privately. Do not open a public issue or pull request.
- Use GitHub's private vulnerability reporting ("Report a vulnerability" under the Security tab), or
- email contact@ionalpha.io.
Include a description, reproduction steps, affected version, and impact. We aim to acknowledge within a few business days and will coordinate a fix and disclosure timeline with you.
A machine-readable contact is published at .well-known/security.txt.
The published threat model describes the trust boundaries, the classes of attack Flynn defends against, and which defense is responsible for each, with a clear split between what is enforced today and what is planned.
Until a 1.0 release, only the latest release and main receive security fixes.
This repository is the open Flynn. Issues in a connected commercial host belong to that system, not here.