VectorRen is a small, joyful project — but security still matters.
This document explains how to report vulnerabilities responsibly and how we handle them.
VectorRen is versioned using semantic tags (v0.x, v1.x, etc.).
Security fixes will be applied to the most recent release and to the main branch.
Older versions may not receive patches.
If you discover a security issue:
- Do not open a public Issue or Pull Request.
- Email the maintainer privately with the details.
- Include:
- a clear description of the vulnerability
- steps to reproduce
- the affected files or components
- any suggested fixes (optional)
We will acknowledge your report as quickly as possible and keep you updated as we investigate.
If you are unsure whether something is a vulnerability, report it anyway.
It is always better to ask.
Please give the maintainer reasonable time to investigate and fix the issue before any public disclosure.
We appreciate researchers and contributors who help keep the project safe.
- Public disclosure of vulnerabilities before a fix is available
- Malicious or harmful exploit attempts
- Automated “security scans” submitted as mass‑generated PRs
- Reports unrelated to the VectorRen codebase (e.g., browser bugs, hosting issues)
VectorRen is intentionally simple:
- no backend
- no user accounts
- no server‑side logic
- no dependencies beyond minimal dev tooling
This reduces the attack surface dramatically, but not completely.
We still take reports seriously and treat security as part of the craft.
Security researchers and contributors help keep VectorRen safe for everyone.
Thank you for taking the time to report issues responsibly.