rublox/player
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
player/SECURITY.md
МИН 87444ee2c8 Initial public release: Rublox Player v1.0 
Open-source web player for Rublox games, dual-licensed under
AGPL-3.0 + Commercial.

Highlights:
- Babylon.js 7 + React 18 + Vite 5 stack
- Self-contained engine (~46k lines): BlockManager, ModelManager,
  PlayerController, ScriptSandboxWorker, MultiplayerSync, 30+ GD
  gamemodes
- Configurable backend via VITE_API_BASE and friends — works against
  staging (dev-api.rublox.pro) out of the box
- Standalone mode (VITE_STANDALONE=true) loads a bundled sample game
  for first-run without any backend
- Full docs: README, ARCHITECTURE, CONTRIBUTING, SECURITY, CHANGELOG
- Lint + format scaffolding (ESLint + Prettier + EditorConfig)
- Legal: LICENSE (AGPL-3.0), LICENSE-COMMERCIAL.md, CLA.md, COPYRIGHT.md
- Issue templates: bug_report, feature_request, security_disclosure

Removed before public release:
- frontend_deploy.py (contained production SSH credentials)
- ~27 admin endpoints (kept in private repo)
- Hard-coded internal URLs and IPs
- All previous git history (clean repo init)
2026-05-27 23:04:04 +03:00

2.7 KiB
Raw Blame History

Security Policy

Supported versions

Only the main branch receives security updates. Tagged releases (v0.x) are best-effort.

Reporting a vulnerability

Do NOT open a public issue for security vulnerabilities.

Vulnerabilities in this player can directly impact our production service at player.rublox.pro and the games that users have published. Public disclosure before a patch can lead to real harm to real users (including minors who play our games).

Please email: security@rublox.pro (read only by the project maintainer)

Include:

  1. A description of the issue
  2. Steps to reproduce (or a proof-of-concept)
  3. Affected versions / files
  4. Your impact assessment (XSS / RCE / IDOR / sandbox escape / etc.)
  5. Your contact for follow-up
  6. Whether you want public credit after the fix (we'll add you to a Hall of Fame in CHANGELOG)

What to expect

Step Time
Acknowledgement within 24 hours
Severity assessment within 3 business days
Fix in private branch within 7 days for critical
Public patch release when ready, with credit

Especially welcome

The following classes of bugs are highly valued (because they can compromise users):

  • Script sandbox escape (engine/scripts/ScriptSandbox*.js) — a user-uploaded game script gaining access to window, document, fetch, localStorage, or hijacking other players' sessions.
  • XSS in game-content rendering — game titles, chat messages, comment bodies that get rendered as HTML.
  • Multiplayer message-injection — crafted Colyseus messages causing other clients to crash or execute attacker code.
  • Auth-token leakage — JWT or ticket appearing in URLs, query strings, console logs, error pages, or analytics events.
  • Asset-URL injectionurl:... prefixes (designer-uploaded models) that load arbitrary files from outside our asset bucket.

Things that are NOT vulnerabilities

(Save your and our time — these get rejected.)

  • Missing X-Frame-Options or Content-Security-Policy (we know, working on it server-side).
  • Self-XSS (user pasting JS into their own DevTools).
  • Outdated npm audit warnings without a working exploit.
  • Information disclosure of files in the repo (it's open-source!).
  • Reports generated by automated scanners with no manual verification.

Reward

We're a small project. We can't pay bounties, but for any genuine vulnerability:

  • Public credit in CHANGELOG.md (if you want)
  • Inclusion in a "Hall of Fame" section in this file
  • Personal thank-you from the maintainer
  • For high-impact reports: a one-time financial gift at the maintainer's discretion (rare, but possible)

Hall of Fame

Empty so far — be the first!