If you discover a security vulnerability in taskflow, please report it privately rather than opening a public issue.
- Email: bshengtao@gmail.com
- Subject:
[SECURITY] taskflow — <brief description>
I aim to acknowledge reports within 72 hours and ship a fix within 7 days for confirmed vulnerabilities.
taskflow runs subagent processes, manages a file-based cache with atomic locks, and resolves interpolation expressions from user-provided DSL definitions. Areas of particular interest:
The runtime has intentional hardening: realpath-based path containment, runId validation, atomic writes, and stale-lock stealing. But if you find a bypass, it's a vulnerability.
After the fix is released, vulnerabilities will be disclosed publicly in a GitHub Security Advisory and noted in CHANGELOG.md. Credit will be given unless you prefer to remain anonymous.
