# Security Policy

## Reporting a Vulnerability

If you believe you have found a security vulnerability in Dify, please report it privately through GitHub Security Advisories:

https://github.com/langgenius/dify/security/advisories/new

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

When submitting a report, include as much relevant information as you can safely provide, such as:

- A description of the vulnerability
- Steps to reproduce, if safe to share privately
- Affected components, versions, or configurations
- Potential impact
- Any suggested mitigation or fix, if available

The maintainers will review reports submitted through GitHub Security Advisories and coordinate follow-up there.

## Public Disclosure

Please avoid publicly disclosing details of a vulnerability until it has been reviewed and, where appropriate, a fix or mitigation has been made available.

## Security Updates

Security fixes may be released through normal project releases or other appropriate channels. Users are encouraged to keep Dify deployments up to date.