If you discover a security vulnerability in Notiflo, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, email security@notiflo.dev with:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Any potential impact assessment
We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation plan within 7 days.
| Version | Supported |
|---|---|
| 0.1.x | Yes |
- The Rhai script sandbox has configurable execution timeouts to prevent resource exhaustion
- HTTP delivery uses TLS by default
- Redis connections support TLS via
rediss://URLs - No user-supplied input is passed to shell commands
- API key authentication for organization-scoped endpoints
- Input validation via class-validator on all DTOs
- MongoDB injection protection through Mongoose schema validation
- CORS is configurable via
CORS_ORIGINenvironment variable
- MongoDB and Redis should be deployed with authentication enabled in production
- Use network policies to restrict access between services
- Rotate API keys regularly through the management API