We actively maintain the latest release of ProSim. Security fixes are applied to the main branch and tagged as a new release.

Please do not report security vulnerabilities via public GitHub issues.

If you believe you have found a security vulnerability in ProSim, please disclose it responsibly by opening a GitHub Security Advisory. This allows maintainers to assess and patch the issue before public disclosure.

When reporting, please include:

• A description of the vulnerability and its potential impact.
• Steps to reproduce or a proof-of-concept (PoC).
• Any suggested mitigations or fixes, if you have them.

You can expect an initial response within 5 business days. We will keep you informed as we work toward a fix and will credit you in the release notes unless you prefer to remain anonymous.

ProSim calls the Anthropic API to generate workflow graphs. Keep the following in mind when deploying:

• API key protection: Store ANTHROPIC_API_KEY in environment variables or a secrets manager—never commit it to source control.
• CORS: Set PROSIM_CORS_ORIGINS to the exact origins allowed to call the backend API. The default (http://localhost:3000) is intended for local development only.
• Input validation: The backend validates all uploaded workflow JSON through Pydantic models before processing. Avoid exposing the API directly to untrusted networks without additional authentication.
• LLM output: Workflow graphs are generated by an LLM and then validated and repaired by the parser. Do not treat generated graphs as fully trusted input for automated production systems without human review.

Once a fix is released, we will publish a security advisory on GitHub that describes the vulnerability, the affected versions, and the resolution.