Security fixes are provided for the latest released minor version and the main branch.
| Version | Supported |
|---|---|
| latest release | Yes |
| older releases | Best effort |
Do not open a public GitHub issue for suspected security vulnerabilities.
Report privately through GitHub Security Advisories:
https://github.com/rushairer/batchflow/security/advisories/new
If GitHub Security Advisories are unavailable, contact the maintainers privately and include:
- affected BatchFlow version or commit
- Go version and operating system
- database/backend involved, if applicable
- minimal reproduction steps
- expected impact and any known workaround
The maintainers will triage reports as follows:
- Acknowledge receipt within 7 days when possible.
- Confirm scope, severity, and affected versions.
- Prepare a fix and tests privately when needed.
- Publish a release and advisory after the fix is available.
BatchFlow integrations must not expose raw row payloads, SQL args, Redis keys, HTTP bodies, credentials, tokens, or user identifiers in logs or Prometheus labels. Use fingerprints, counts, low-cardinality reason labels, and redacted structured attributes instead.