Only the current release line is supported for security fixes.

Report security issues by email to security@flapjack.foo.

Please include:

• A clear description of the issue and impact.
• Steps to reproduce, proof-of-concept details, or logs.
• Affected version/build and deployment context.
• Any suggested remediation if available.

• Acknowledge new reports within 48 hours.
• Provide regular status updates during triage and remediation.
• Target a fix or mitigation for critical vulnerabilities within 90 days.

• Core search engine (engine/src/).
• HTTP/API layer and request handling.
• Authentication and authorization behavior.
• Replication and data synchronization logic.

• Dashboard cosmetic-only issues with no security impact.

For implementation-level hardening controls, see:

• Security baseline