If a newly discovered vulnerability or security issue is discovered, we kindly ask our users and security researchers to disclose it privately and securely via the GitHub Security Advisories (GHSA) feature on this repository. Please do not report vulnerabilities via GitHub issues or other public channels. Disclosing a vulnerability publicly might lead to a situation where a vulnerability is widely known, but no fix is yet available, thus harming other users.
Alternatively, the report can be sent via email to security@spotflow.io. However, we prefer GHSA for security reasons.
Ultimately, we will publish all vulnerabilities publicly and credit the reporter appropriately for the discovery, but only after a fix is available.
Currently, we are not running any bug bounty programs.