Only the main branch receives security updates.

If you discover a security vulnerability in Emberfall, please report it privately:

• Email: open an issue marked [SECURITY] and contact the maintainer via GitHub
• Response time: best effort, typically within 7 days

Please do not file public GitHub issues for security vulnerabilities.

Emberfall is a turn-based tactical roguelike game built with Godot 4.2.2. The project is primarily a single-player offline experience, so the attack surface is limited to:

• Deterministic math/seed handling (must not allow arbitrary code execution)
• Save file parsing (must not crash or execute code on malformed input)
• Optional networked features (if/when added)

• Vulnerabilities in third-party Godot plugins or engine itself
• Issues requiring physical access to the player's device