Security
Last updated: 2026-05-16
If you believe you have found a security issue in QodFlow, please email hello@qodflow.com. Encrypt with our public key (available on request) if the report contains exploit details.
QodFlow is a pre-revenue MVP — we cannot pay bounties. What we offer in exchange for a valid finding is durable public credit: a line in the Hall of Fame below, a Reported-by: line in the commit that fixes the issue, a changelog entry, and a thank-you from the official account. We acknowledge every report within 5 business days and credit named researchers (with their consent).
If you act in good faith — no data exfiltration, no service degradation, no social engineering of staff or customers — we will not pursue legal action and will work with you on disclosure timelines.
Customer Postgres lives on Neon with daily snapshots and point-in-time recovery. Passwords are bcrypt-hashed (cost 12). API tokens are stored as bcrypt of the secret tail — the plaintext is shown ONCE at creation and never persisted.
HTTPS everywhere, HSTS, strict transport headers. Session cookies are httpOnly, SameSite=Lax, secure in production.
Email + password (bcrypt), Google OAuth with PKCE, and magic-link email. Login attempts are rate-limited per IP and per account. Account-level lockouts trigger after sustained failures.
Every database query is filtered by the caller's active team. Owners, admins, and members each have distinct privileges, enforced server-side. Public-board tokens use 24-character CUIDs and can be rotated at any time from team settings.
Team deletion requires an explicit confirmation phrase from the team owner. Deletes are soft for 30 days and reversible from the UI within that window. Mass-deletion patterns trigger an alert and an automatic temporary freeze pending review.
Personal Access Tokens (qf_live_ / qf_test_) are scoped by resource and action, expire on a schedule of your choosing (max 365 days), and can be revoked instantly. Destructive scopes (team:admin) require a runtime confirmation literal in the request body — no agent can "quietly" delete a team or wipe data.
All token-authenticated requests are written to a per-team audit log queryable by team owners. If a token is compromised, revoke it and we will help you trace any actions it took.
Live system status is published at /status. Material incidents (data loss, unauthorized access) are reported to affected customers within 72 hours per applicable breach-notification law.
Researchers who have responsibly disclosed issues to us. Thank you. (Empty as of launch — be the first.)