diff --git a/SECURITY.md b/SECURITY.md index 0e1f4ac..783e2e1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,49 +1,55 @@ -# Security policy +# Security Policy -## Reporting a vulnerability +## Reporting a Vulnerability -If you find a security issue in HellionChat, please do not open a public -GitHub issue. Use one of the private channels below instead so we can -investigate and ship a fix before the details go out. +If you find a security issue in HellionChat, please do not open a +public GitHub issue. Use one of the private channels below so I can +investigate and ship a fix before the details go public. **Preferred:** [Privately report a vulnerability](https://github.com/JonKazama-Hellion/HellionChat/security/advisories/new) -through GitHub's Security Advisories. This routes the report directly to -me and keeps the conversation off the public timeline. +via GitHub Security Advisories. This routes the report directly to me +and keeps the conversation off the public timeline. **Alternative:** -- Email: `kontakt@hellion-media.de` -- Discord: `@j.j_kazama` + +| Channel | Address | +| ---------- | -------------------------- | +| Email | `kontakt@hellion-media.de` | +| Discord DM | `@j.j_kazama` | I respond on weekdays during European business hours. For urgent disclosures (active exploitation, user-data exposure) email is the fastest path. -## What I treat as in scope +## Scope -- Code paths in HellionChat that touch user-controlled input (chat - messages, plugin config, file paths the user can influence) -- The privacy filter in MessageStore.cs and the export pipeline -- The Configuration migration logic -- The EmoteCache HTTP client and path handling +### In scope + +- Code paths that touch user-controlled input (chat messages, plugin + config, file paths the user can influence) +- The privacy filter in `MessageStore.cs` and the export pipeline +- The configuration migration logic +- The `EmoteCache` HTTP client and path handling - The Auto-Tell-Tabs spawn logic and history preload -## What is not in scope +### Out of scope -- Issues in upstream Chat 2 that we have not modified — please report +- Issues in upstream Chat 2 that HellionChat has not modified — report those at -- Issues in Dalamud itself — those go to +- Issues in Dalamud itself — those go to + - Issues in the FFXIV game client -- Anything that needs the user to install a malicious plugin first +- Anything that requires the user to install a malicious plugin first -## Acknowledgement - -I list everyone who reports a real issue in the changelog of the release -that fixes it, unless they prefer to stay anonymous. No bug bounty, -nothing financial; this is a hobby plugin. - -## Disclosure window +## Disclosure Window I aim to ship a fix within 14 days for high-severity issues and within 30 days for everything else. If a fix needs more time I will say so in the private thread. + +## Credits + +Everyone who reports a real issue gets listed in the changelog of the +release that fixes it, unless they prefer to stay anonymous. No bug +bounty, nothing financial — this is a hobby plugin.