We take the security of VectorFlow seriously. If you discover a security vulnerability, please report it through GitHub's private vulnerability reporting.

1. Go to the Security Advisories page
2. Click "Report a vulnerability"
3. Provide a description of the vulnerability, steps to reproduce, and any potential impact

• Acknowledgment within 48 hours of your report
• Status update within 7 days with an assessment and expected resolution timeline
• Credit in the release notes when the fix is published (unless you prefer to remain anonymous)

The following are in scope for security reports:

• Authentication and authorization bypasses
• Credential or secret exposure
• SQL injection, XSS, or other injection attacks
• Privilege escalation
• Agent-to-server communication security issues

• Vulnerabilities in dependencies (report these to the upstream project)
• Social engineering attacks
• Denial of service attacks that require significant resources