# Security Policy

## Supported versions

Only the `main` branch receives security updates. Tagged releases (`v0.x`) are best-effort.

## Reporting a vulnerability

**Do NOT open a public issue for security vulnerabilities.**

Vulnerabilities in this player can directly impact our production service at `player.rublox.pro` and the games that users have published. Public disclosure before a patch can lead to real harm to real users (including minors who play our games).

Please email: **`security@rublox.pro`** (read only by the project maintainer)

Include:

1. A description of the issue
2. Steps to reproduce (or a proof-of-concept)
3. Affected versions / files
4. Your impact assessment (XSS / RCE / IDOR / sandbox escape / etc.)
5. Your contact for follow-up
6. Whether you want public credit after the fix (we'll add you to a Hall of Fame in CHANGELOG)

## What to expect

| Step | Time |
|---|---|
| Acknowledgement | within 24 hours |
| Severity assessment | within 3 business days |
| Fix in private branch | within 7 days for critical |
| Public patch release | when ready, with credit |

## Especially welcome

The following classes of bugs are highly valued (because they can compromise users):

- **Script sandbox escape** (`engine/scripts/ScriptSandbox*.js`) — a user-uploaded game script gaining access to `window`, `document`, `fetch`, `localStorage`, or hijacking other players' sessions.
- **XSS in game-content rendering** — game titles, chat messages, comment bodies that get rendered as HTML.
- **Multiplayer message-injection** — crafted Colyseus messages causing other clients to crash or execute attacker code.
- **Auth-token leakage** — JWT or ticket appearing in URLs, query strings, console logs, error pages, or analytics events.
- **Asset-URL injection** — `url:...` prefixes (designer-uploaded models) that load arbitrary files from outside our asset bucket.

## Things that are NOT vulnerabilities

(Save your and our time — these get rejected.)

- Missing `X-Frame-Options` or `Content-Security-Policy` (we know, working on it server-side).
- Self-XSS (user pasting JS into their own DevTools).
- Outdated `npm audit` warnings without a working exploit.
- Information disclosure of files in the repo (it's open-source!).
- Reports generated by automated scanners with no manual verification.

## Reward

We're a small project. We can't pay bounties, but for any genuine vulnerability:

- Public credit in `CHANGELOG.md` (if you want)
- Inclusion in a "Hall of Fame" section in this file
- Personal thank-you from the maintainer
- For high-impact reports: a one-time financial gift at the maintainer's discretion (rare, but possible)

## Hall of Fame

_Empty so far — be the first!_