Security

Security & Responsible Disclosure

Last updated: 2026-05-16

Reporting a vulnerability

If you believe you have found a security issue in QodFlow, please email hello@qodflow.com. Encrypt with our public key (available on request) if the report contains exploit details.

QodFlow is a pre-revenue MVP — we cannot pay bounties. What we offer in exchange for a valid finding is durable public credit: a line in the Hall of Fame below, a Reported-by: line in the commit that fixes the issue, a changelog entry, and a thank-you from the official account. We acknowledge every report within 5 business days and credit named researchers (with their consent).

Safe-harbor commitments

If you act in good faith — no data exfiltration, no service degradation, no social engineering of staff or customers — we will not pursue legal action and will work with you on disclosure timelines.

  • Stay within the scope of your own test accounts. Do not access other customers' data.
  • Don't run automated scanners at high volume — coordinate first so we can whitelist you.
  • Give us a reasonable time to fix before public disclosure (typically 90 days).

What we protect, and how

Data at rest

Customer Postgres lives on Neon with daily snapshots and point-in-time recovery. Passwords are bcrypt-hashed (cost 12). API tokens are stored as bcrypt of the secret tail — the plaintext is shown ONCE at creation and never persisted.

Data in transit

HTTPS everywhere, HSTS, strict transport headers. Session cookies are httpOnly, SameSite=Lax, secure in production.

Authentication

Email + password (bcrypt), Google OAuth with PKCE, and magic-link email. Login attempts are rate-limited per IP and per account. Account-level lockouts trigger after sustained failures.

Authorization

Every database query is filtered by the caller's active team. Owners, admins, and members each have distinct privileges, enforced server-side. Public-board tokens use 24-character CUIDs and can be rotated at any time from team settings.

Destructive actions

Team deletion requires an explicit confirmation phrase from the team owner. Deletes are soft for 30 days and reversible from the UI within that window. Mass-deletion patterns trigger an alert and an automatic temporary freeze pending review.

API & MCP agents

Personal Access Tokens (qf_live_ / qf_test_) are scoped by resource and action, expire on a schedule of your choosing (max 365 days), and can be revoked instantly. Destructive scopes (team:admin) require a runtime confirmation literal in the request body — no agent can "quietly" delete a team or wipe data.

All token-authenticated requests are written to a per-team audit log queryable by team owners. If a token is compromised, revoke it and we will help you trace any actions it took.

Outages and status

Live system status is published at /status. Material incidents (data loss, unauthorized access) are reported to affected customers within 72 hours per applicable breach-notification law.

Hall of Fame

Researchers who have responsibly disclosed issues to us. Thank you. (Empty as of launch — be the first.)

    Out of scope

    • Findings that require physical access to a user's device.
    • Theoretical issues without a working proof of concept.
    • Reports generated entirely by automated scanners without manual verification.
    • Self-XSS, missing best-practice headers without an exploit path, and clickjacking on unauthenticated pages with no sensitive actions.