At Flowise, we prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly. Your cooperation helps us better protect our platform and users.

The following types of issues are some of the most common vulnerabilities:

• Clickjacking on pages without sensitive actions
• CSRF on unauthenticated/logout/# pages
• Attacks requiring MITM (Man-in-the-Middle) or physical device access
• Social engineering attacks
• Activities that cause service disruption (DoS)
• Content spoofing and text injection without a valid attack vector
• Email spoofing
• Absence of DNSSEC, CAA, CSP headers
• Missing Secure or HTTP-only flag on non-sensitive cookies
• Deadlinks
• User enumeration

• Submit your findings to https://github.com/FlowiseAI/Flowise/security
• Provide clear details to help us reproduce and fix the issue quickly.

• Do not publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users.
• If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least 30 days in advance for review.
• Avoid including:
  • Data from any Flowise customer projects
  • Flowise user/customer information
  • Details about Flowise employees, contractors, or partners

• We will acknowledge your report within 5 business days and provide an estimated resolution timeline.
• Your report will be kept confidential, and your details will not be shared without your consent.

We appreciate your efforts in helping us maintain a secure platform and look forward to working together to resolve any issues responsibly.