Skip to content

Security: estuary/flow

Security

Report a vulnerability

SECURITY.md

Security Policy

Estuary is committed to the security of our platform and the safety of our customers. We appreciate the efforts of security researchers who help us maintain a secure product.

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Preferred method: Use GitHub's built-in "Report a vulnerability" feature in the Security tab of the repository where the vulnerability exists. This keeps the report private and associated with the relevant codebase.

Alternatively, you can email security@estuary.dev — this is equally acceptable, especially for vulnerabilities that span multiple repositories or affect Estuary's infrastructure.

What to Include

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Proof-of-concept code, if available
  • Any plans or intentions for public disclosure

What to Expect

  • Acknowledgment within 2 business days of your report
  • Timeline and status updates after triage, with transparency about remediation progress
  • Open dialog to discuss the issue throughout the process
  • Notification when the vulnerability analysis has completed each stage of review
  • Credit after the vulnerability has been validated and fixed, if desired

Scope

This security policy applies to:

  • Estuary Flow platform and its components
  • Estuary-maintained open source repositories
  • Estuary's public-facing infrastructure

Safe Harbor

Estuary will not pursue legal action against individuals who submit vulnerability reports through our reporting channel, provided they:

  • Test systems without harming Estuary or its customers
  • Stay within the scope of the vulnerability disclosure program
  • Do not access, modify, or delete customer data
  • Adhere to applicable laws
  • Refrain from public disclosure before a mutually agreed-upon timeframe

Out of Scope

The following are not in scope for this policy:

  • Social engineering attacks against Estuary employees
  • Denial of service attacks
  • Physical security issues
  • Issues in third-party applications or services not maintained by Estuary

Additional Information

For Estuary's full Responsible Disclosure Policy, including our whistleblower provisions, please contact security@estuary.dev.

There aren't any published security advisories