Thank you for helping keep gflow and runqd safe.

gflow is a local job scheduler for shared Linux machines. Because it can start processes, manage job state, and expose optional local services, security reports are taken seriously.

Security fixes are provided on a best-effort basis for:

If you are unsure whether your installation is still supported, test against the latest release first.

Please report vulnerabilities privately. Do not open a public GitHub issue, discussion, or pull request for suspected security problems.

Send a report to me@puqing.work with the subject line gflow security report.

Please include as much of the following as possible:

• A clear description of the issue and its impact.
• The affected gflow / runqd version.
• How you installed it, such as Cargo, pip, pipx, or uv tool.
• Your environment, especially Linux distribution, kernel, and whether GPU scheduling is enabled.
• Step-by-step reproduction instructions or a proof of concept.
• Any suggested mitigations if you already tested one.

If you want to share sensitive details but need a different channel first, mention that in the email and we can coordinate.

Best-effort process:

• Initial acknowledgement within 72 hours.
• Triage and severity assessment after reproduction.
• Status updates while a fix or mitigation is being prepared.
• Public disclosure after a fix is available, when appropriate.

To reduce risk in production-like environments:

• Keep gflow updated to the latest release.
• Limit who can access the host account that runs gflowd.
• Expose network services only when necessary, and prefer loopback-only binding unless you understand the security implications.
• Treat submitted jobs, scripts, and environment variables as privileged inputs.