Security policy


Safety is one of the core principles of FlakeHub, and to that end, we would like to ensure that FlakeHub has a secure implementation.

Thank you for taking the time to disclose any issues you find responsibly.

All security bugs in FlakeHub or its associated projects should be reported by email to This list is delivered to a small security team. Your email will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48 hours indicating the next steps in handling your report.

Be sure to use a descriptive subject line to avoid missing your report. After the initial reply to your report, the security team will endeavour to inform you of the progress towards a fix and full announcement. As RFPolicy recommends, these updates will be sent at least every five days.

If you have not received a reply to your email within 48 hours or have not heard from our security team for the past five days, there are a few steps you can take (in order):

  • Contact the security coordinators directly by sending an email to
  • Post in our Discord server in the #security channel
    • Please note that the discussion forums are public areas. When escalating in these venues, please do not discuss your issue. Say that you’re trying to reach someone from the security team.

Disclosure policy

FlakeHub has a 5 step disclosure process.

  1. The security report is received and assigned a primary handler. This person will coordinate the fix and release process.
  2. The problem is confirmed, and a list of all affected versions is determined.
  3. Code is audited to find any potential similar problems.
  4. Fixes are prepared for all releases which are still under maintenance.
  5. The changes are pushed to the source code repository, and new builds are deployed to An incident response will be published on the FlakeHub blog within 24 hours if appropriate.

This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug as promptly as possible. We must, however, follow the release process above to ensure the disclosure is handled consistently.

Adapted from the Rust Security Policy.