.png)
At CadenzaFlow, we are committed to Information Security, Privacy, and Compliance. Our mission is to establish trust through transparency.
Just as Camunda forked from Activiti 5.10 in early 2013, CadenzaFlow forked from Camunda 7.24 in late 2025.
Since then, following the CadenzaFlow Release Cycles, a Vulnerability Report is provided with every CadenzaFlow BPM Platform release in the Roadmap under the Security Section.
The CadenzaFlow team utilizes Trivy to generate vulnerability reports.
The baseline vulnerability state of Camunda 7.24, along with the progress made in each CadenzaFlow release (v1.1.0, v1.2.0, etc.), can be found under the Security Section.
For any security-related issues, we recommend contacting the CadenzaFlow team. Security issues and vulnerabilities can be reported as described below.
Severity: CRITICAL|HIGH|MEDIUM|LOW, Title: short description of issue Vulnerabilities discovered by Community users are treated as bugs and addressed on a best-effort basis.
Vulnerabilities discovered by Enterprise customers are treated according to the agreed support and SLA terms.
Security notices (Vulnerability Reports) for each CadenzaFlow release can be found at: TODO.
Once reported, the CadenzaFlow team assesses the vulnerability. This includes root cause analysis, as well as evaluating the risk and impact of the issue. This assessment is performed in close collaboration with the reporter.
The CadenzaFlow team creates a remediation plan to address identified security issues. Fixes are made available through:
Once a fix is released or a practical workaround becomes available, the CadenzaFlow team announces users through the relevant Vulnerability Reports page.