Skip to content

Security: MS33834/taskflow

Security

SECURITY.md

Security Policy

Supported Versions

The following versions of TaskFlow are currently supported with security updates:

Version Supported
1.x.x
< 1.0

Reporting a Vulnerability

If you discover a security vulnerability in TaskFlow, please report it responsibly.

  • Do not open a public issue for security vulnerabilities.
  • Email the maintainer at security@ms33834.dev with details.
  • Include steps to reproduce, affected versions, and any suggested fixes.

We aim to respond within 7 days and release a patch within 30 days for confirmed vulnerabilities.

Security Practices

TaskFlow follows these security practices:

  • Local-first architecture with optional end-to-end encrypted synchronization.
  • SQLite database encrypted at rest using SQLCipher.
  • Sensitive settings protected by user-defined lock methods.
  • Automated secret scanning via gitleaks in CI.
  • Dependency review and OSSF Scorecard monitoring enabled.
  • Property-based fuzz testing with Hypothesis (see docs/fuzzing.md).
  • All changes require PR review before merge.

Audit Findings Tracker

TaskFlow has completed two rounds of security audits (TF-001019 and TF2-001017), totaling 36 findings. The unified status of all findings is tracked in docs/security/SECURITY_TRACKER.md, which serves as the single source of truth.

Disclosure Policy

Once a fix is released, we will publish a security advisory and credit the reporter unless they prefer to remain anonymous.

There aren't any published security advisories