We actively support security updates for the following versions of RudeBase3D:
| Version | Supported |
|---|---|
| 1.0.x | β Full support |
| 0.5.x | β Security fixes |
| 0.4.x | β End of life |
| < 0.4 | β No support |
If you discover a security vulnerability in RudeBase3D, please report it responsibly:
π§ Email: security@no-hands-company.com
- Use the subject line:
[SECURITY] RudeBase3D Vulnerability Report - Include as much detail as possible
- Do NOT create public GitHub issues for security vulnerabilities
Please provide the following information:
- Description: Clear description of the vulnerability
- Impact: Potential security impact and affected systems
- Reproduction: Step-by-step reproduction instructions
- Environment: OS, version, and configuration details
- Proof of Concept: Code or screenshots (if applicable)
- Suggested Fix: Your thoughts on how to address it (optional)
- Initial Response: Within 24 hours
- Triage: Within 72 hours
- Status Update: Weekly until resolved
- Fix Release: Target within 30 days for critical issues
- Code Review: All code changes require peer review
- Dependency Scanning: Automated vulnerability scanning of dependencies
- Static Analysis: Regular static code analysis for security issues
- Secure Coding: Following OWASP secure coding practices
- Signed Releases: All releases are cryptographically signed
- Supply Chain: Secure build pipeline with verified dependencies
- Reproducible Builds: Builds can be independently verified
- Checksum Verification: SHA-256 checksums provided for all releases
- Remote code execution
- Privilege escalation to system level
- Data exfiltration of sensitive information
- Response Time: Within 24 hours
- Local privilege escalation
- Authentication bypass
- Denial of service attacks
- Response Time: Within 72 hours
- Information disclosure
- Cross-site scripting (if applicable)
- Local denial of service
- Response Time: Within 1 week
- Minor information leaks
- Low-impact vulnerabilities
- Response Time: Next regular release cycle
- Primary Contact: security@no-hands-company.com
- Response Time: Within 24 hours for critical issues
For critical vulnerabilities requiring immediate attention:
- Response Time: Within 2 hours for critical issues
Security is a shared responsibility. Thank you for helping keep RudeBase3D secure! π‘οΈ
Instead, please report them via:
- Email: security@no-hands-company.org (preferred)
- Private GitHub Security Advisory: Create Advisory
Please include the following information in your report:
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
We aim to respond to security reports according to the following timeline:
- Initial Response: Within 48 hours of receiving the report
- Investigation: Complete initial assessment within 7 days
- Resolution:
- Critical vulnerabilities: 30 days maximum
- High severity: 60 days maximum
- Medium/Low severity: 90 days maximum
- We follow responsible disclosure practices
- We will acknowledge receipt of your vulnerability report
- We will provide an estimated timeline for addressing the vulnerability
- We will notify you when the vulnerability is fixed
- We may request that you keep the vulnerability confidential until we've had a chance to address it
RudeBase3D handles:
- File I/O: Loading untrusted 3D model files (OBJ, FBX, etc.)
- Plugin System: Loading third-party plugins and scripts
- Network Operations: Potential future cloud features
- User Input: Handling potentially malicious user input
Common security concerns include:
- Memory safety issues (buffer overflows, use-after-free)
- File format parsing vulnerabilities
- Plugin sandbox escapes
- Input validation failures
When contributing to RudeBase3D:
- Follow secure coding practices
- Validate all input data
- Use safe memory management (RAII, smart pointers)
- Avoid unsafe C functions
- Review third-party dependencies for known vulnerabilities
- Use static analysis tools when available
We believe in recognizing security researchers who help improve our security:
- Security researchers will be credited in our security advisories (unless they prefer to remain anonymous)
- We maintain a security researchers hall of fame
- For significant findings, we may offer recognition rewards (to be determined)
Security updates will be:
- Released as soon as possible after verification
- Documented in our changelog and security advisories
- Announced through our official communication channels
- Tagged with appropriate version bumps following semantic versioning
For any questions about this security policy:
- General Security Questions: security@no-hands-company.org
- Project Maintainers: See MAINTAINERS.md
This security policy may be updated from time to time. Please check back regularly for updates.