We currently support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability in Strata, please follow these steps:
Please do not open a public GitHub issue for security vulnerabilities, as this could put users at risk.
Send details to: jon@jonbogaty.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You can expect:
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-7 days
- High: 7-30 days
- Medium: 30-90 days
- Low: Best effort
- We'll confirm receipt of your report
- We'll investigate and assess the issue
- We'll develop and test a fix
- We'll release a patch and publish a security advisory
- We'll credit you in the advisory (unless you prefer to remain anonymous)
Strata employs multiple layers of security:
- Dependabot: Automatic dependency vulnerability scanning and updates
- CodeQL Analysis: Automated security scanning for code vulnerabilities
- Secret Scanning: Prevents accidental commit of secrets
Our custom @agentic/triage security scanner checks for:
- Division by zero vulnerabilities
- Array out-of-bounds access
- Null/undefined dereferences
- Race conditions
- Stale event references
- Resource leaks (Three.js objects not disposed)
- XSS vulnerabilities in user-facing code
All PRs automatically run:
- Unit tests
- Integration tests
- E2E tests
- Security scans
- Dependency reviews
- All code changes require review
- Automated AI review via
@agentic/triage - Human review for significant changes
When contributing to Strata, please follow these security best practices:
// Good - validate inputs
function generateTerrain(size: number): THREE.BufferGeometry {
if (size <= 0) {
throw new Error('Size must be positive');
}
// ...
}
// Bad - no validation
function generateTerrain(size: number): THREE.BufferGeometry {
// Potential for negative size or NaN
}// Good - check for zero
const result = divisor !== 0 ? value / divisor : 0;
// Bad - potential division by zero
const result = value / divisor;// Good - check bounds
const item = index >= 0 && index < array.length ? array[index] : undefined;
// Bad - no bounds check
const item = array[index];// Good - optional chaining
const value = obj?.prop?.nested ?? defaultValue;
// Bad - can throw on null/undefined
const value = obj.prop.nested;// Good - cleanup in useEffect
useEffect(() => {
const geometry = new THREE.BufferGeometry();
const material = new THREE.Material();
return () => {
geometry.dispose();
material.dispose();
};
}, []);
// Bad - memory leak
useEffect(() => {
const geometry = new THREE.BufferGeometry();
const material = new THREE.Material();
// No cleanup
}, []);// Good - capture values before async
const value = event.target.value;
setTimeout(() => {
console.log(value);
}, 100);
// Bad - stale reference risk
setTimeout(() => {
console.log(event.target.value);
}, 100);Three.js requires manual disposal of:
- Geometries
- Materials
- Textures
- Render targets
Always dispose of these in React cleanup functions.
The library handles WebGL context loss, but complex scenes may need manual recovery logic.
Extremely high values for resolution, particle count, etc. can cause browser freezes. We validate inputs to prevent this.
Security patches are released as needed. Monitor:
For non-security issues:
- Open a bug report
- Start a discussion
For security issues: jon@jonbogaty.com
Thank you for helping keep Strata secure! 🔒