| Version | Supported |
|---|---|
| 1.2.x | ✅ |
| 1.1.x | ✅ |
| 1.0.x | ❌ |
| < 1.0 | ❌ |
If you discover a security vulnerability in this project, please report it responsibly.
- Do not open a public issue
- Email security concerns to: security@example.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Initial assessment within 1 week
- Regular updates on progress
- Credit in the release notes (unless you prefer anonymity)
This project uses WebGL shaders which:
- Run in a sandboxed environment
- Cannot access the file system
- Are limited by browser security policies
However, malformed shaders could potentially:
- Cause GPU hangs (denial of service)
- Consume excessive resources
- Trigger browser bugs
CSV and JSON data files are:
- Static assets (no server-side processing)
- Validated on load
- Sanitized before display
We regularly monitor dependencies for vulnerabilities:
npm auditruns in CI- Dependabot alerts enabled
- Automated security updates
-
Keep dependencies updated
npm update
-
Run security audit
npm audit
-
Use Content Security Policy
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' blob:; media-src 'self'; worker-src 'self' blob:;">
-
Validate user inputs if extending the project
- GPU Fingerprinting: WebGL can be used for device fingerprinting
- Resource Exhaustion: Complex shaders may crash weak GPUs
- Browser Bugs: Shader compilation may trigger browser-specific issues
Security patches will be released as:
- Patch versions (e.g., 1.2.1) for critical fixes
- Minor versions (e.g., 1.3.0) for non-critical improvements
Subscribe to releases for notifications.
We thank the following security researchers:
- [Your name here] - First security report
This security policy is adapted from the GitHub Security Policy template.