Create SECURITY.md

[0xfatty]

Initializing Security report policies page

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
langflow	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 28, 2024 7:44pm

[ogabrielluiz]

Hey @0xfatty

How are you?

Could you help me understand a bit more what is the best approach to support this doc?

[0xfatty]

Hi @ogabrielluiz ,

Thank you for reaching out. First of all, I do apologize for not putting much detailed information into my commit. Creating a SECURITY.md file is a best practice for open-source projects like Langflow to communicate security policies and procedures to users and contributors following Github Security recommendation [1].

The purpose of SECURITY.md is to clearly define the guidelines on how to report security vulnerabilities and security related issues. Using that mechanism [2], it encourages Langflow users to responsible disclosure and outline the steps for security reporting. With the information provided in the outline, it would help maintainers and contributors to keep track on reported security issues and create security advisories for vulnerability management purposes.

How to best approach this:
1/ Users report security issues using [2] or create a Github issue
2/ Maintainers review the issue and work on a fix/work-around
3/ Maintainers publish security advisories for the reported issues and request for CVEs

I hope my wording makes sense. Please feel free to let me know if there are any other questions or concerns. I will be more than happy to assist. Given Langflow is getting a lot of attention from public with over 18k stars, this would even strengthen its reputation and help keep its users safe.

References:

[1] https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory
[2] https://github.com/langflow-ai/langflow/security

[YamonBot]

In my understanding, this request seems to define a method for collecting security issues like data injection and proposes a template for directly reporting security concerns in GitHub's security tab.

In Langflow, remote code changes through APIs or UI are possible, and since the Langflow core team is handling the barriers, it seems that they are seeking more extensive participation from contributors.

https://github.com/kanboard/kanboard/security

I would like to share that in one of the projects I have been paying attention to, this approach is being managed effectively.

[YamonBot]

Given that Langflow's API and code logic inherently require meticulous management, and the migration to tools like Zustand or Casbin is still underway, it doesn't seem like the right time to consider this document.