rublox/player
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
player/SECURITY.md
МИН 87444ee2c8 Initial public release: Rublox Player v1.0 
Open-source web player for Rublox games, dual-licensed under
AGPL-3.0 + Commercial.

Highlights:
- Babylon.js 7 + React 18 + Vite 5 stack
- Self-contained engine (~46k lines): BlockManager, ModelManager,
  PlayerController, ScriptSandboxWorker, MultiplayerSync, 30+ GD
  gamemodes
- Configurable backend via VITE_API_BASE and friends — works against
  staging (dev-api.rublox.pro) out of the box
- Standalone mode (VITE_STANDALONE=true) loads a bundled sample game
  for first-run without any backend
- Full docs: README, ARCHITECTURE, CONTRIBUTING, SECURITY, CHANGELOG
- Lint + format scaffolding (ESLint + Prettier + EditorConfig)
- Legal: LICENSE (AGPL-3.0), LICENSE-COMMERCIAL.md, CLA.md, COPYRIGHT.md
- Issue templates: bug_report, feature_request, security_disclosure

Removed before public release:
- frontend_deploy.py (contained production SSH credentials)
- ~27 admin endpoints (kept in private repo)
- Hard-coded internal URLs and IPs
- All previous git history (clean repo init)
2026-05-27 23:04:04 +03:00

65 lines
2.7 KiB
Markdown
Raw Blame History

# Security Policy
## Supported versions
Only the `main` branch receives security updates. Tagged releases (`v0.x`) are best-effort.
## Reporting a vulnerability
**Do NOT open a public issue for security vulnerabilities.**
Vulnerabilities in this player can directly impact our production service at `player.rublox.pro` and the games that users have published. Public disclosure before a patch can lead to real harm to real users (including minors who play our games).
Please email: **`security@rublox.pro`** (read only by the project maintainer)
Include:
1. A description of the issue
2. Steps to reproduce (or a proof-of-concept)
3. Affected versions / files
4. Your impact assessment (XSS / RCE / IDOR / sandbox escape / etc.)
5. Your contact for follow-up
6. Whether you want public credit after the fix (we'll add you to a Hall of Fame in CHANGELOG)
## What to expect
| Step | Time |
|---|---|
| Acknowledgement | within 24 hours |
| Severity assessment | within 3 business days |
| Fix in private branch | within 7 days for critical |
| Public patch release | when ready, with credit |
## Especially welcome
The following classes of bugs are highly valued (because they can compromise users):
- **Script sandbox escape** (`engine/scripts/ScriptSandbox*.js`) — a user-uploaded game script gaining access to `window`, `document`, `fetch`, `localStorage`, or hijacking other players' sessions.
- **XSS in game-content rendering** — game titles, chat messages, comment bodies that get rendered as HTML.
- **Multiplayer message-injection** — crafted Colyseus messages causing other clients to crash or execute attacker code.
- **Auth-token leakage** — JWT or ticket appearing in URLs, query strings, console logs, error pages, or analytics events.
- **Asset-URL injection** — `url:...` prefixes (designer-uploaded models) that load arbitrary files from outside our asset bucket.
## Things that are NOT vulnerabilities
(Save your and our time — these get rejected.)
- Missing `X-Frame-Options` or `Content-Security-Policy` (we know, working on it server-side).
- Self-XSS (user pasting JS into their own DevTools).
- Outdated `npm audit` warnings without a working exploit.
- Information disclosure of files in the repo (it's open-source!).
- Reports generated by automated scanners with no manual verification.
## Reward
We're a small project. We can't pay bounties, but for any genuine vulnerability:
- Public credit in `CHANGELOG.md` (if you want)
- Inclusion in a "Hall of Fame" section in this file
- Personal thank-you from the maintainer
- For high-impact reports: a one-time financial gift at the maintainer's discretion (rare, but possible)
## Hall of Fame
_Empty so far — be the first!_
Reference in New Issue View Git Blame Copy Permalink