This document outlines the security procedures for SDF Editor. We take security very seriously and appreciate the efforts of security researchers and users who point out potential vulnerabilities.

We believe in providing timely security support for actively maintained versions of our software.

If you discover a security vulnerability in SDF Editor, please follow the process below. Do not open a public issue or post details on public forums (like GitHub Issues, mailing lists, or social media) before we have had a chance to address the issue.

Please report all security vulnerabilities privately by emailing the security team at:

Email -> eng-SDF@protonmail.com

To help us triage and resolve the issue quickly, please include as much detail as possible:

• A clear description of the vulnerability.
• Product version(s) (e.g., "v0.1.0").
• Steps to reproduce the vulnerability (including environment details like OS, language version, etc.).
• A suggested fix or mitigation, if you have one.
• Your contact information (optional).

Once we receive your report, we commit to the following timeline for acknowledgment and resolution:

If the timeline for a fix is expected to exceed 28 days, we will communicate the delay and the reasons to you privately.

We follow a responsible disclosure timeline:

1. We will work with you privately to develop and release a patch.
2. Once the patch is released, we will work with you to coordinate a public disclosure of the vulnerability details.
3. We typically wait 7 days after the patch is publicly available before releasing technical details, unless a longer period is mutually agreed upon.
4. We will publicly credit you for your responsible report, provided you wish to be credited.

• Accepted Vulnerabilities: If the vulnerability is confirmed and falls within the scope of SDF Editor, we will prioritize a fix and communicate status updates as per the timeline above.
• Declined Vulnerabilities: If a report is declined (e.g., it's an issue in a third-party dependency, a known limitation, or outside the security scope of the project), we will explain why the report is being closed.

This policy covers security issues in the SDF Editor source code and the official releases published on Releases.

Issues that are out of scope include:

• Issues in third-party libraries that we do not control.
• Denial of Service (DoS) vulnerabilities that require physical access or massive network resources.
• Social engineering or physical attacks against maintainers.
• Vulnerabilities in infrastructure (e.g., GitHub/GitLab configuration, build services) managed by the platform provider.

• Confidentiality: We will not disclose your personal information without your consent.
• Limitation of Liability: This policy does not constitute an admission of liability for any vulnerabilities.
• Good Faith Assumption: We assume reports are made in good faith. Malicious reports may be reported to authorities.
• Policy Changes: We may update this policy; changes will be posted here

Thank you again for helping keep SDF Editor secure!