We release patches for security vulnerabilities. Currently supported versions:

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: security@fluxlens.ai

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• We will acknowledge receipt of your vulnerability report within 2 business days
• We will send regular updates about our progress
• We will notify you when the vulnerability is fixed
• We will publicly credit you for the discovery (unless you prefer to remain anonymous)

• All API routes are authenticated by default
• Environment variables are never committed to version control
• Dependencies are regularly updated and scanned for vulnerabilities
• User input is validated and sanitized
• Passwords are hashed using bcrypt
• JWTs are used for session management with secure, httpOnly cookies

• Use strong, unique passwords
• Enable 2FA when available (coming soon)
• Keep your API keys secure and rotate them regularly
• Review OAuth permissions before granting access
• Report suspicious activity immediately

• Production alerting/webhook guidance lives in docs/MONITORING.md (Sentry/PostHog/ALERT_WEBHOOK_URL).
• Health checks: /api/health plus root path uptime monitors.
• Observability smoke: pnpm vitest run tests/observability.spec.ts confirms Sentry/PostHog keys/hosts are configured.

• FluxLens AI analyzes only metadata from collaboration tools
• We do NOT read message content or monitor individual employees
• All data transmission uses HTTPS/TLS encryption
• Data at rest is encrypted (when using production database)

• OAuth tokens are stored securely with encryption
• Tokens have minimal required scopes
• Token refresh is handled automatically
• Tokens can be revoked at any time

• We will coordinate disclosure timing with you
• Security advisories will be published on GitHub Security Advisories
• Critical vulnerabilities will be disclosed after a patch is available
• We follow a 90-day disclosure timeline for non-critical issues

We are evaluating a bug bounty program. Updates will be posted here.

Last security audit: TBD
Next scheduled audit: TBD

For any security concerns, contact:

• Email: security@fluxlens.ai
• PGP Key: (Coming soon)

For general questions: hello@fluxlens.ai