Files

T

JonKazama-Hellion 22dbfc2e24 chore(repo): fix license detection and add github workflows

LICENSE now starts with the EUPL-1.2 standard header so github-linguist
detects the licence correctly in the repo header. The dual-copyright
block (upstream ChatTwo authors plus Hellion Online Media) moves into a
new COPYRIGHT file referenced from the README. NOTICE.md and
UPSTREAM_SYNC.md stay as-is.

New files under .github:

- workflows/build.yml: validates every push to main and every PR
  against the current Dalamud staging branch on a Windows runner
- workflows/release.yml: builds Release on every v* tag, locates the
  DalamudPackager latest.zip and attaches it to the matching GitHub
  Release via softprops/action-gh-release
- dependabot.yml: weekly NuGet sweeps and monthly GitHub Actions
  sweeps with conventional-commit prefixes, grouped patch and minor
  PRs to cut review noise
- ISSUE_TEMPLATE/bug_report.yml + feature_request.yml + config.yml:
  structured intake that pushes security reports through the private
  advisory flow and routes upstream-only issues to ChatTwo
- SECURITY.md: documents the vulnerability reporting channels, scope,
  and target disclosure window

The release workflow replaces the previous manual upload step. Tag a
release and the ZIP shows up on the release page automatically.

2026-05-02 22:50:06 +02:00

1.8 KiB

Raw Blame History

Security policy

Reporting a vulnerability

If you find a security issue in HellionChat, please do not open a public GitHub issue. Use one of the private channels below instead so we can investigate and ship a fix before the details go out.

Preferred: Privately report a vulnerability through GitHub's Security Advisories. This routes the report directly to me and keeps the conversation off the public timeline.

Alternative:

Email: maintainer@hellion-media.de
Discord: @j.j_kazama

I respond on weekdays during European business hours. For urgent disclosures (active exploitation, user-data exposure) email is the fastest path.

What I treat as in scope

Code paths in HellionChat that touch user-controlled input (chat messages, plugin config, file paths the user can influence)
The privacy filter in MessageStore.cs and the export pipeline
The Configuration migration logic
The EmoteCache HTTP client and path handling
The Auto-Tell-Tabs spawn logic and history preload

What is not in scope

Issues in upstream Chat 2 that we have not modified — please report those at https://github.com/Infiziert90/ChatTwo/issues
Issues in Dalamud itself — those go to https://github.com/goatcorp/Dalamud
Issues in the FFXIV game client
Anything that needs the user to install a malicious plugin first

Acknowledgement

I list everyone who reports a real issue in the changelog of the release that fixes it, unless they prefer to stay anonymous. No bug bounty, nothing financial; this is a hobby plugin.

Disclosure window

I aim to ship a fix within 14 days for high-severity issues and within 30 days for everything else. If a fix needs more time I will say so in the private thread.

1.8 KiB Raw Blame History