We take security seriously and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 3.x.x | ✅ Yes |
| 2.x.x | ❌ No (deprecated) |
| 1.x.x | ❌ No (deprecated) |
We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via private email:
Email: dev@scootr.ca
Subject: [SECURITY] Deadline Dread Vulnerability Report
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact: Potential impact if exploited
- Suggested Fix: If you have ideas for fixing the issue
- Affected Version: Which version(s) are affected
- Browser/Environment: Where the vulnerability was discovered
- Initial Response: Within 48 hours
- Status Update: Within 1 week
- Resolution: As quickly as possible, typically within 30 days
Since Deadline Dread is a client-side web game, most security concerns relate to:
- Cross-Site Scripting (XSS): Malicious code injection
- Data Validation: Input sanitization and validation
- Local Storage: Secure handling of game data
- Third-Party Dependencies: Keeping dependencies updated
- Server-side vulnerabilities (no server component)
- Database security (no database)
- Authentication bypass (no authentication system)
- API security (no external APIs)
- XSS vulnerabilities in game UI or user input
- Code injection through game mechanics
- Data corruption that could affect gameplay
- Performance attacks that could crash the game
- Information disclosure through game mechanics
- UI manipulation that could confuse players
- Local storage vulnerabilities affecting game data
- Cosmetic issues that don't affect functionality
- Performance issues that don't create security risks
- Browser-specific quirks that don't pose security threats
- Code Review: All changes are reviewed before merging
- Dependency Updates: Regular updates of npm packages
- Input Validation: Client-side validation for all user inputs
- Content Security Policy: CSP headers where applicable
- Minification: Code is minified to reduce attack surface
- Source Maps: Disabled in production builds
- Dependency Scanning: Regular security audits of dependencies
- Vulnerability Assessment: Evaluate severity and impact
- Fix Development: Create and test security fixes
- Version Bump: Increment version number appropriately
- Release: Deploy updated version
- Disclosure: Public disclosure after fix is available
- Patch Release (3.0.1): Security fixes and minor bug fixes
- Minor Release (3.1.0): New features with security improvements
- Major Release (4.0.0): Breaking changes or major security overhauls
- Acknowledgement: Credit for responsible disclosure
- Timely Response: Quick assessment and response
- Transparency: Clear communication about fixes
- No Legal Action: We won't pursue legal action against security researchers
- Private Reporting: Don't disclose publicly until we've had time to fix
- Reasonable Timeline: Allow us time to assess and fix issues
- No Exploitation: Don't use vulnerabilities to harm users
- Good Faith: Report issues to help improve security, not cause harm
- OWASP Top 10: Web application security risks
- MDN Security: Web security best practices
- Content Security Policy: CSP implementation guide
- Keep Updated: Use the latest version of the game
- Report Issues: Contact us if you notice suspicious behavior
- Browser Security: Keep your browser updated
- Email: dev@scootr.ca
- Subject:
[SECURITY] Deadline Dread Vulnerability Report
- GitHub Issues: Use issue templates for non-security problems
- Discord: https://discord.gg/qaMmuCqxAQ for community discussion
- Initial security policy implementation
- Client-side input validation improvements
- Dependency security audit completed
Thank you for helping keep Deadline Dread secure! 🛡️🎮