JonKazama-Hellion/HellionChat
1
0
Fork 0
Code Issues Pull Requests Actions Releases 28 Activity
Files
1f7f0945c514a6a529bf53054c029d90137a2ce3
HellionChat/SECURITY.md
T
JonKazama-Hellion 1b63765caa docs: community standards, privacy notice and release-body automation 
Closes the remaining gaps in GitHub's community-standards check, adds
explicit privacy and dependency documentation matching the plugin's
"DSGVO-by-design" claim, and removes the stale upstream Crowdin
artefact so the repo no longer suggests it ships its own translation
pipeline.

New community-health files:

- CODE_OF_CONDUCT.md: project-specific, short and direct, single
  reporting path to kontakt@hellion-media.de
- CONTRIBUTING.md: scope, accepted vs declined contributions, build
  and test instructions, EUPL-1.2 contribution terms, translation
  policy split between Hellion-specific (here) and upstream strings
  (Chat 2 repo)
- SUPPORT.md: routing for bugs, security, privacy and casual feedback
- .github/PULL_REQUEST_TEMPLATE.md: summary, change-type checklist,
  testing notes, compatibility notes for migrations and manifest
  fields, contribution checklist
- .github/FUNDING.yml: comments-only file, no platforms enabled,
  points donors at the upstream Chat 2 maintainers' Ko-fi pages

New privacy and compliance documentation:

- PRIVACY.md: what the plugin stores locally (config, SQLite,
  EmoteCacheV1), retention defaults, the two outbound network calls
  (BetterTTV API+CDN with ShowEmotes opt-out, Square Enix Lodestone
  font once-off), explicit no-telemetry statement, GDPR
  Art. 15/17/18/20/21 rights mapped to plugin features, third-party
  privacy-policy links
- THIRD_PARTY_NOTICES.md: direct NuGet dependencies with versions
  pinned to v0.5.4 (MessagePack, Microsoft.Data.Sqlite, morelinq,
  Pidgin, SixLabors.ImageSharp under Six Labors Split License 1.0),
  Dalamud SDK and .NET tooling, bundled Exo 2 font (OFL-1.1) and
  plugin icon, network-touch status per component, re-audit commands

Crowdin cleanup:

- crowdin.yml deleted (was upstream Chat 2's project_id 663694,
  pointed at /ChatTwo/Resources/Language.resx, never wired to
  HellionChat strings)
- README, CONTRIBUTING and CODE_OF_CONDUCT no longer suggest
  HellionChat operates a Crowdin project; remaining mentions are
  explicitly framed as upstream Chat 2's workflow

Contact and version consistency:

- Maintainer email switched from maintainer@hellion-media.de to
  kontakt@hellion-media.de in SECURITY.md and NOTICE.md
- README version references updated to 0.5.4 (header, project status
  block) and the update-tag pattern generalised from v0.1.x to v0.X.Y
- bug_report.yml version placeholder bumped to 0.5.4
- Project-documents table added to README footer linking all health
  and reference files in one place

Release-body automation:

- .github/workflows/release.yml now extracts the matching version
  block from ChatTwo/HellionChat.yaml's changelog and combines it
  with a static install / docs footer (custom-repo URL, project
  document links, licence) before passing the result to
  softprops/action-gh-release@v3 via body_path
- Workflow fails fast if no changelog block exists for the tagged
  version, automating the existing "yaml + repo.json + release body
  kept in sync" rule
- Tag value passed via env: TAG_NAME with strict ^v\d+\.\d+\.\d+$
  validation before any string concatenation, so the tag input cannot
  break out into shell evaluation
2026-05-03 10:42:07 +02:00

50 lines
1.8 KiB
Markdown
Raw Blame History

# Security policy
## Reporting a vulnerability
If you find a security issue in HellionChat, please do not open a public
GitHub issue. Use one of the private channels below instead so we can
investigate and ship a fix before the details go out.
**Preferred:**
[Privately report a vulnerability](https://github.com/JonKazama-Hellion/HellionChat/security/advisories/new)
through GitHub's Security Advisories. This routes the report directly to
me and keeps the conversation off the public timeline.
**Alternative:**
- Email: `kontakt@hellion-media.de`
- Discord: `@j.j_kazama`
I respond on weekdays during European business hours. For urgent
disclosures (active exploitation, user-data exposure) email is the
fastest path.
## What I treat as in scope
- Code paths in HellionChat that touch user-controlled input (chat
messages, plugin config, file paths the user can influence)
- The privacy filter in MessageStore.cs and the export pipeline
- The Configuration migration logic
- The EmoteCache HTTP client and path handling
- The Auto-Tell-Tabs spawn logic and history preload
## What is not in scope
- Issues in upstream Chat 2 that we have not modified — please report
those at <https://github.com/Infiziert90/ChatTwo/issues>
- Issues in Dalamud itself — those go to <https://github.com/goatcorp/Dalamud>
- Issues in the FFXIV game client
- Anything that needs the user to install a malicious plugin first
## Acknowledgement
I list everyone who reports a real issue in the changelog of the release
that fixes it, unless they prefer to stay anonymous. No bug bounty,
nothing financial; this is a hobby plugin.
## Disclosure window
I aim to ship a fix within 14 days for high-severity issues and within
30 days for everything else. If a fix needs more time I will say so in
the private thread.
Reference in New Issue View Git Blame Copy Permalink