Future Work Platform is currently an open-source prototype. Security fixes are applied to the latest public revision only. The local demo is not a production-ready deployment.
Please do not disclose suspected vulnerabilities in a public issue, pull request, or discussion.
Use GitHub's private vulnerability reporting feature for this repository when it is available. If private reporting has not been enabled yet, contact the repository maintainers through a private channel and ask for a secure reporting path before sharing technical details.
Include:
- The affected component and revision.
- Reproduction steps or a proof of concept.
- Potential impact.
- Any suggested mitigation.
Maintainers should acknowledge a report promptly, investigate it privately, and coordinate disclosure after a fix or mitigation is available.
The repository includes development-only credentials, demo tokens, permissive CORS defaults, and prototype authentication flows for local evaluation. Before any internet-facing deployment:
- Replace every development credential and token.
- Use a secret manager.
- Disable permissive demo CORS behavior.
- Review authorization boundaries and rate limits.
- Replace local SMS and authentication shortcuts.
- Run dependency, container, and secret scans.
Future Work Platform 当前是开源原型。安全修复仅面向最新公开版本。本地 Demo 不等同于可直接用于生产环境的部署方案。
请勿在公开 Issue、Pull Request 或 Discussion 中披露疑似漏洞。
优先使用本仓库的 GitHub 私密漏洞报告功能。如果该功能尚未启用,请先通过私密渠道联系仓库维护者,确认安全的报告方式后再提供技术细节。
建议包含:
- 受影响的组件和版本。
- 复现步骤或概念验证。
- 潜在影响。
- 建议的缓解方案。
维护者应尽快确认报告,在私密环境中完成调查,并在修复或缓解方案准备好后协调披露。
本仓库为了本地评估包含开发凭据、演示 token、宽松的 CORS 默认值和原型认证流程。部署到公网前必须:
- 替换全部开发凭据和 token。
- 使用密钥管理服务。
- 关闭宽松的 Demo CORS 配置。
- 检查授权边界和限流策略。
- 替换本地短信和认证捷径。
- 执行依赖、容器和密钥扫描。