JonKazama-Hellion
0220e5d756
Pull in the refreshed linter and tooling configs (editorconfig, gitignore, gitattributes, prettierignore, prettierrc, markdownlint, yamllint, env.example, dotnet-tools) and run prettier and markdownlint in --fix / --write mode across the repo so the existing tree matches the new rules. - prettier 2-space indent on yaml/yml and json overrides, asterisk strong, underscore emphasis, proseWrap always - markdownlint MD007 indent aligned to 2 and MD049 to underscore so prettier output stays passing - preflight Block F also ignores CLAUDE.md (gitignored personal file) - prettierignore extended to keep HellionChat.yaml manifest and the NuGet packages.lock.json out of the formatter No semantic content changed; csharpier, build, full build-suite (729/729) and the new prettier/markdownlint/yamllint checks all green.
1.6 KiB
1.6 KiB
Security Policy
Reporting a Vulnerability
If you find a security issue in HellionChat, please do not open a public Gitea issue. Use one of the private channels below so I can investigate and ship a fix before the details go public.
Preferred:
| Channel | Address |
|---|---|
kontakt@hellion-media.de |
|
| Discord DM | @j.j_kazama |
For urgent disclosures (active exploitation, user-data exposure) email is the fastest path.
I respond on weekdays during European business hours.
Scope
In scope
- Code paths that touch user-controlled input (chat messages, plugin config, file paths the user can influence)
- The privacy filter in
MessageStore.csand the export pipeline - The configuration migration logic
- The
EmoteCacheHTTP client and path handling - The Auto-Tell-Tabs spawn logic and history preload
Out of scope
- Issues in upstream Chat 2 that HellionChat has not modified — report those at https://github.com/Infiziert90/ChatTwo/issues
- Issues in Dalamud itself — those go to https://github.com/goatcorp/Dalamud
- Issues in the FFXIV game client
- Anything that requires the user to install a malicious plugin first
Disclosure Window
I aim to ship a fix within 14 days for high-severity issues and within 30 days for everything else. If a fix needs more time I will say so in the private thread.
Credits
Everyone who reports a real issue gets listed in the changelog of the release that fixes it, unless they prefer to stay anonymous. No bug bounty, nothing financial — this is a hobby plugin.