The ByteFight Client repository is committed to maintaining a secure and responsible development environment. We take all reported vulnerabilities seriously and aim to address them promptly to protect users, contributors, and infrastructure.
This document outlines how to report security vulnerabilities, what to expect after reporting, and best practices for responsible disclosure.
We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| Latest (main) | ✅ |
| Previous stable release | ✅ |
| Older versions | ❌ |
If you are using an unsupported version, please upgrade to the latest release.
If you discover a security vulnerability, please report it using GitHub Private Vulnerability Reporting.
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the private report form and submit
This will create a private report visible only to maintainers, allowing us to investigate and fix the issue before any public disclosure.
To help us resolve the issue quickly, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any proof-of-concept code or screenshots
- Suggested fix (optional)
⚠️ Please avoid opening public issues for security vulnerabilities unless explicitly instructed.
We aim to respond to vulnerability reports within:
- 48 hours: Initial acknowledgment
- 5–7 days: Triage and severity assessment
- 1–2 weeks: Patch or mitigation (depending on severity)
We will keep reporters informed throughout the process.
We follow a responsible disclosure process:
- The vulnerability is reported privately
- The team investigates and creates a fix
- A patch is released
- Public disclosure is made (if appropriate), with credit to the reporter
We request that reporters do not disclose vulnerabilities publicly until a fix has been released.
This policy applies to:
- The ByteFight Client repository
Contributors are expected to follow these guidelines:
- Do not commit secrets (API keys, tokens, credentials)
- Validate all external inputs
- Use least-privilege principles
- Keep dependencies up to date
- Follow secure coding practices
We appreciate responsible disclosure and will acknowledge contributors who report valid vulnerabilities (unless they prefer to remain anonymous).
For any additional security-related concerns, you may use GitHub Discussions or contact maintainers directly if necessary.
Thank you for helping keep ByteFight secure.