OpenFlowKit is currently a pre-1.0 project. Security fixes are applied on a best-effort basis to the latest active code line only.
Current support policy:
| Version / Branch | Supported |
|---|---|
Latest main / master branch state |
Yes |
| Latest deployed app/docs surfaces | Best effort |
| Older commits, forks, and historical pre-1.0 snapshots | No |
If the project starts publishing stable release lines, this policy should be updated to list supported versions explicitly.
Please do not open a public GitHub issue for a security vulnerability.
Instead, report it here:
When possible, include:
- a short description of the issue
- impact and affected surface
- reproduction steps
- browser/environment details
- proof-of-concept material if safe to share
OpenFlowKit is a browser-first, local-first application. Relevant security areas include:
- persisted local application data
- imported/exported files
- AI provider API key handling
- collaboration transport behavior
- third-party asset ingestion and rendering
OpenFlowKit is fully local-first. No diagram data, API keys, or user content is sent to OpenFlowKit servers. There are no OpenFlowKit servers.
Diagram state is persisted in IndexedDB (with localStorage as a fallback). It never leaves the browser unless you explicitly export or share it.
OpenFlowKit uses a Bring-Your-Own-Key (BYOK) model:
- API keys are entered in Settings → AI and stored in localStorage under a dedicated namespace.
- Keys are sent directly from your browser to the AI provider (OpenAI, Anthropic, Google, etc.) — not proxied through any OpenFlowKit service.
- Keys are never logged, never included in exports, and never transmitted to anyone other than the provider you configured.
Important: Do not put API keys in .env or .env.local files. The settings modal is the only supported key entry point. Keys set via environment variables are a development-only convenience and should not be used in shared or deployed environments.
Real-time collaboration uses WebRTC peer-to-peer transport (via a public signalling server for initial handshake). Once connected, diagram data flows directly between peers — it is not stored on or readable by the signalling server. Room links contain the room ID; anyone with the link can join the session.
Cloud provider icon packs (AWS, Azure, GCP, CNCF) are fetched from a CDN at runtime. No user data is sent in those requests — they are plain asset fetches.
The maintainers will review reports and aim to:
- confirm the issue
- assess severity and impacted surfaces
- prepare a fix or mitigation
- ship the patch on the latest supported code line
Response and remediation timing is best effort and depends on issue severity and maintainer availability.