Security Policy
April 15, 2026 · View on GitHub
Supported Versions
| Version | Supported |
|---|---|
| 2.10.x | ✅ Active |
| < 2.10 | ❌ No longer supported |
Reporting a Vulnerability
If you discover a security vulnerability, please report it privately:
- Email: joinwell52@gmail.com
- Subject:
[SECURITY] CodeFlow — <brief description> - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Please do NOT open a public GitHub Issue for security vulnerabilities.
We will acknowledge your report within 48 hours and provide an estimated timeline for a fix.
Security Best Practices for Users
- Never commit
room_key, tokens, or passwords to public repositories - Keep
codeflow.jsonand.gitee_tokenin.gitignore - Use the latest Desktop version (auto-update will prompt you)
- Run the relay server behind HTTPS in production
Scope
This policy covers:
- CodeFlow Desktop (
codeflow-desktop/) - CodeFlow PWA (
web/pwa/) - CodeFlow MCP Plugin (
codeflow-plugin/) - WebSocket Relay (
server/relay/)