We take the security of Flick seriously. Thank you for helping keep Flick and its users safe.
Security updates are provided for the latest release on the main branch.
Please make sure you are running the most recent version before reporting an
issue.
| Version | Supported |
|---|---|
Latest (main) |
✅ |
| Older releases | ❌ |
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.
Instead, report them privately so we can address the issue before it is disclosed publicly. Email the maintainers directly at matteo.tutti@epitech.eu and valentino.zarrillo@epitech.eu.
To help us triage and fix the issue quickly, please include:
- A description of the vulnerability and its impact
- Steps to reproduce (proof of concept if possible)
- The affected version, commit, or endpoint
- Any relevant logs, screenshots, or configuration details
- Acknowledgement: we aim to acknowledge your report within 72 hours.
- Assessment: we will investigate and keep you informed of our progress.
- Fix & disclosure: once a fix is ready, we will coordinate a release and, with your permission, credit you for the discovery.
We ask that you give us a reasonable amount of time to resolve the issue before any public disclosure, and that you avoid accessing or modifying other users' data while researching.
This policy covers the Flick codebase in this repository (the Go API, the CLI, and the Next.js web app) and the official hosted instance at flick.d3l.tech.
Issues in third-party dependencies should be reported to their respective maintainers, though we appreciate a heads-up if they affect Flick.
Thank you for contributing to the security of Flick! 🛡️