If you believe you have found a security issue in FlowKey, please do not open a public GitHub issue. Instead, use GitHub's private "Report a vulnerability" workflow on the Security tab, or email the maintainer privately.

We aim to acknowledge reports within 72 hours.

FlowKey is a local-only, per-user automation tool. It has no network listeners and stores all data under ~/.flowkey/. The IPC control socket is created with mode 0600 so only the owning user can talk to the daemon.

The following classes of bugs are in scope for reports:

• Privilege escalation outside the running user
• Anything that lets a non-owner process talk to the daemon
• Memory safety issues (use-after-free, OOB read/write) in the C engine
• Path traversal escaping the user's configured roots
• Pattern engine denial of service (CPU/memory exhaustion from crafted input)

The following are explicitly out of scope (working as designed):

• The user's own rules.txt and recipes/*.fk files run shell commands with the user's own privileges. Treat these files as code, not as data.
• open_with and run_cmd workflow operations invoke system(3). Filenames observed from the filesystem are interpolated into shell commands; do not point the observer at directories writable by less-trusted users.
• The daemon may delete or rename files. Use dry_run = true in rules until you are confident.

Only the latest tagged release receives security fixes. Older versions are provided as-is.