JonKazama-Hellion/HellionChat
1
0
Fork 0
Code Issues Pull Requests Actions Releases 28 Activity
Files
93d52ae819293005eada5414ee7079b799e47980
HellionChat/SECURITY.md
T
JonKazama-Hellion 22dbfc2e24 chore(repo): fix license detection and add github workflows 
LICENSE now starts with the EUPL-1.2 standard header so github-linguist
detects the licence correctly in the repo header. The dual-copyright
block (upstream ChatTwo authors plus Hellion Online Media) moves into a
new COPYRIGHT file referenced from the README. NOTICE.md and
UPSTREAM_SYNC.md stay as-is.

New files under .github:

- workflows/build.yml: validates every push to main and every PR
  against the current Dalamud staging branch on a Windows runner
- workflows/release.yml: builds Release on every v* tag, locates the
  DalamudPackager latest.zip and attaches it to the matching GitHub
  Release via softprops/action-gh-release
- dependabot.yml: weekly NuGet sweeps and monthly GitHub Actions
  sweeps with conventional-commit prefixes, grouped patch and minor
  PRs to cut review noise
- ISSUE_TEMPLATE/bug_report.yml + feature_request.yml + config.yml:
  structured intake that pushes security reports through the private
  advisory flow and routes upstream-only issues to ChatTwo
- SECURITY.md: documents the vulnerability reporting channels, scope,
  and target disclosure window

The release workflow replaces the previous manual upload step. Tag a
release and the ZIP shows up on the release page automatically.
2026-05-02 22:50:06 +02:00

50 lines
1.8 KiB
Markdown
Raw Blame History

# Security policy
## Reporting a vulnerability
If you find a security issue in HellionChat, please do not open a public
GitHub issue. Use one of the private channels below instead so we can
investigate and ship a fix before the details go out.
**Preferred:**
[Privately report a vulnerability](https://github.com/JonKazama-Hellion/HellionChat/security/advisories/new)
through GitHub's Security Advisories. This routes the report directly to
me and keeps the conversation off the public timeline.
**Alternative:**
- Email: `maintainer@hellion-media.de`
- Discord: `@j.j_kazama`
I respond on weekdays during European business hours. For urgent
disclosures (active exploitation, user-data exposure) email is the
fastest path.
## What I treat as in scope
- Code paths in HellionChat that touch user-controlled input (chat
messages, plugin config, file paths the user can influence)
- The privacy filter in MessageStore.cs and the export pipeline
- The Configuration migration logic
- The EmoteCache HTTP client and path handling
- The Auto-Tell-Tabs spawn logic and history preload
## What is not in scope
- Issues in upstream Chat 2 that we have not modified — please report
those at <https://github.com/Infiziert90/ChatTwo/issues>
- Issues in Dalamud itself — those go to <https://github.com/goatcorp/Dalamud>
- Issues in the FFXIV game client
- Anything that needs the user to install a malicious plugin first
## Acknowledgement
I list everyone who reports a real issue in the changelog of the release
that fixes it, unless they prefer to stay anonymous. No bug bounty,
nothing financial; this is a hobby plugin.
## Disclosure window
I aim to ship a fix within 14 days for high-severity issues and within
30 days for everything else. If a fix needs more time I will say so in
the private thread.
Reference in New Issue View Git Blame Copy Permalink