Skip to content

Security: EmberlyOSS/Flicker

Security

SECURITY.md

Security Policy

Thank you for helping keep Flicker and Emberly secure. This document explains how to report security issues and how we handle reports.

Reporting a Vulnerability

When reporting, include:

  • A clear description of the issue and impact
  • Steps to reproduce (minimal repro if possible)
  • Affected versions or commit hashes
  • Any PoC code or screenshots
  • Your contact email for follow-up (if not using GitHub Advisories)

We will acknowledge reports within 48 hours and provide an estimated timeline for remediation.

Scope

This policy covers the uploader (Flicker) desktop application and its associated backend endpoints and APIs managed in this repository.

Supported Versions

Please indicate the app version and platform in your report. We prioritize currently supported releases and actively maintained branches.

What We Will (and Won't) Do

  • We will investigate and, where appropriate, fix confirmed vulnerabilities.
  • We will coordinate disclosure with the reporter and, if required, publish a disclosure after a fix is available.
  • We will not issue bounties as a rule, but may make exceptions at our discretion.

Disclosure Process

  1. Reporter emails [email protected] with details.
  2. We acknowledge within 48 hours.
  3. We triage and assign severity and responsible engineers.
  4. We coordinate a fix and a disclosure timeline with the reporter.
  5. Once fixed, we publish an advisory (if applicable) and credit the reporter unless they request anonymity.

Safe Harbor

We ask researchers to follow responsible disclosure: do not exploit or exfiltrate user data while testing. We will not pursue legal action against good-faith security researchers who follow this policy.

If you have questions about this policy, open an issue on the Flicker repo or email [email protected].

There aren’t any published security advisories