We actively support the following versions of FlowFi with security updates:

We take the security of FlowFi seriously. If you discover a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by:

1. Email: Send details to security@flowfi.dev (if available) or create a private security advisory on GitHub
2. GitHub Security Advisory: Use GitHub's private vulnerability reporting feature
3. Direct Contact: Reach out to the maintainers directly through GitHub

Please include the following information in your report:

• Description: A clear description of the vulnerability
• Impact: The potential impact and severity of the issue
• Reproduction: Step-by-step instructions to reproduce the vulnerability
• Environment: Affected versions, operating systems, or configurations
• Proof of Concept: If applicable, include a minimal proof of concept
• Suggested Fix: If you have ideas for how to fix the issue

We are committed to responding to security reports promptly:

• Initial Response: Within 48 hours of receiving your report
• Status Update: Within 7 days with our assessment and planned timeline
• Resolution: We aim to resolve critical vulnerabilities within 30 days

• We follow responsible disclosure practices
• We will work with you to understand and resolve the issue before any public disclosure
• We will credit you in our security advisory (unless you prefer to remain anonymous)
• We ask that you do not publicly disclose the vulnerability until we have had a chance to address it

FlowFi uses Soroban smart contracts on the Stellar network. Key security considerations include:

• Audit Status: Our smart contracts are currently under development and have not been formally audited
• Testing: All contracts undergo extensive testing before deployment
• Upgrades: Contract upgrade mechanisms follow secure patterns

Our backend API implements several security measures:

• Rate Limiting: API endpoints are protected against abuse
• Input Validation: All inputs are validated using Zod schemas
• CORS: Cross-origin requests are properly configured
• Environment Variables: Sensitive configuration is stored securely

The frontend application follows security best practices:

• Content Security Policy: Implemented to prevent XSS attacks
• Secure Dependencies: Regular dependency updates and vulnerability scanning
• Wallet Integration: Secure handling of wallet connections and transactions

When using FlowFi, please follow these security guidelines:

1. Wallet Security: Never share your private keys or seed phrases
2. Transaction Verification: Always verify transaction details before signing
3. Network Security: Use secure, trusted networks when accessing FlowFi
4. Software Updates: Keep your wallet software and browser up to date
5. Phishing Protection: Always verify you're on the official FlowFi domain

Currently, FlowFi does not have a formal bug bounty program. However, we greatly appreciate security researchers who help improve our security posture and will acknowledge their contributions appropriately.

Security updates and advisories will be published:

• In this repository's Security Advisories
• In release notes for affected versions
• Through our official communication channels

For security-related questions or concerns that are not vulnerabilities, you can:

• Open a public issue with the security label
• Reach out to the maintainers through GitHub
• Join our community discussions

We thank the security research community for helping keep FlowFi and our users safe. Contributors who responsibly disclose vulnerabilities will be acknowledged in our security advisories and release notes.

This security policy is subject to change. Please check back regularly for updates.