Security — FerrFlow

FerrFlow is an open-source CLI. It runs entirely on your machine or inside your CI runner — your source code, your commits, your tags. Nothing leaves your infrastructure, nothing phones home. This page tells you how the binary supply chain is protected, where to report a vulnerability, and what is in scope.

Posture

FerrFlow has no servers to protect. There is no FerrFlow account, no database, no API endpoint handling user data. The CLI reads your git history, edits version strings in files you control, pushes tags through your existing git credentials, and exits. The companion site ferrflow.com is a static documentation surface — see the privacy policy for what little it logs.

For the broader FerrLabs platform posture (encryption, identity, network isolation, audit logging, sub-processor management), see ferrlabs.com/security. FerrFlow inherits very little from that posture in practice — it's a CLI, not a SaaS — but the canonical page is the source of truth for FerrLabs-wide controls.

Threat model

The primary risk surface is the binary supply chain. A malicious FerrFlow build in a CI runner could read repository contents, push tags, or publish releases under the project's credentials. Mitigations:

• Every release is built in GitHub Actions from the public FerrLabs/FerrFlow repository, with build provenance attestations (SLSA L3 target).
• Binaries and container images are signed; checksums and signatures are published alongside every release at github.com/FerrLabs/FerrFlow/releases.
• The self-host bundle ghcr.io/ferrlabs/ferrflow-selfhost is distributed only via GHCR, with image signatures verifiable via cosign.
• The JSON Schema at ferrflow.com/schema/ferrflow.json is served from the same static origin as this site and is byte-identical to schema/ferrflow.json in the source repo.

Reporting a vulnerability

Two channels — pick whichever fits your workflow. Both are monitored.

• Email: security@ferrlabs.com. PGP key fingerprint and policy at ferrlabs.com/.well-known/security.txt.
• GitHub private security advisory: file a private advisory directly on the repo. This is the preferred channel if you can already reproduce the issue against a tagged release.

We follow coordinated disclosure with a 90-day default. We acknowledge reports within 3 business days, agree on a disclosure timeline, and credit reporters in the published advisory unless they ask to remain anonymous. Please do not open a public GitHub issue for vulnerabilities.

Scope

In scope:

• The FerrLabs/FerrFlow CLI source and the binaries it produces.
• The published container images at ghcr.io/ferrlabs/ferrflow*.
• The JSON Schema served at ferrflow.com/schema/ferrflow.json.
• This marketing site (ferrflow.com).

Out of scope:

• Third-party file formats FerrFlow reads or updates (Cargo.toml, package.json, pyproject.toml, Chart.yaml, mix.exs, pubspec.yaml, gemspecs, etc.) — vulnerabilities in those ecosystems belong upstream.
• Conventional Commits parsing bugs that are not security issues (those are normal bug reports).
• Denial of service from passing a pathological input to the CLI on your own machine.

No customer data

FerrFlow does not collect, transmit, or store any user data. No telemetry, no error reporting, no usage analytics, no phone-home. The CLI's only network activity is the git operations you explicitly invoke (fetching, pushing tags, creating GitHub releases through your own token) and HTTP calls to package registries that you configured.

The companion site ferrflow.com uses no cookies and no third-party trackers; see the cookies page and privacy policy for the full detail.

Contact

security@ferrlabs.com · GitHub advisory · FerrLabs platform security →

French version: Sécurité.