During Development (Current Phase): We only support the latest release version of DungeonRS with security updates. Once we reach stable release (1.0+), we'll maintain security support for the latest major version.

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in DungeonRS, please report it privately through GitHub Security Advisories:

1. Go to the Security tab of this repository
2. Click "Report a vulnerability"
3. Fill out the advisory form with details

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact and attack scenarios
• Suggested fixes (if you have any)
• Your contact information for follow-up questions

1. Acknowledgement: We'll acknowledge receipt of your report within 48 hours
2. Investigation: We'll investigate and assess the vulnerability
3. Timeline: We'll provide an estimated timeline for a fix
4. Updates: We'll keep you informed of our progress
5. Resolution: We'll notify you when the vulnerability is resolved
6. Disclosure: We'll coordinate responsible disclosure timing with you

DungeonRS processes various file types and user-generated content. Areas of particular security importance include:

• Asset loading: Images, scripts, and other media files
• Project files: JSON/TOML serialisation and deserialization
• Export functionality: Generated map files and images

• Rhai scripts: For asset filtering and processing
• Custom shaders: WebGL/graphics pipeline security

This security policy covers:

• The DungeonRS application and its core libraries
• Asset processing and project file handling
• Build and distribution processes

The following are generally not considered security vulnerabilities:

• Issues requiring physical access to the user's machine
• Social engineering attacks
• Vulnerabilities in third-party dependencies (please report these upstream)
• Performance issues without security implications

We appreciate responsible disclosure and will publicly acknowledge security researchers who help improve DungeonRS security (with your permission).

For non-security related issues, please use our standard issue reporting process.

For general questions about this security policy, you can reach out via GitHub Discussions.