| Version | Supported |
|---|---|
| 0.9.x | ✅ |
| 0.8.x | ✅ |
| < 0.8 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, send an email to security@rec2it.app with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You should receive a response within 48 hours. If the issue is confirmed, we will:
- Acknowledge receipt within 48 hours
- Provide an estimated timeline for a fix within 7 days
- Release a patch as soon as possible
- Publicly disclose the vulnerability after the fix is deployed (with credit to reporter, unless anonymous preferred)
This project implements:
- HMAC-SHA256 anti-cheat verification (server-side via Supabase Edge Function)
- Rate limiting on score submissions (1 run per 5 seconds per IP)
- Content Security Policy headers via Vercel
- HSTS with 2-year max-age
- X-Frame-Options DENY to prevent clickjacking
- Permissions-Policy minimal grant
- RLS policies in Supabase (anon read-only, service_role write)
- No PII collected — opt-in leaderboard without email
In-scope vulnerabilities:
- Anti-cheat bypass (fake scores, replay attacks)
- XSS via QTE prompt injection (currently safe — no user input)
- SQL injection in Edge Function
- Secret leakage (HMAC secret exposed in client bundle)
- Authentication bypass for leaderboard submission
Out-of-scope:
- Denial of service on Plausible/Supabase free tier
- Client-side score manipulation (we trust client display only)
- Self-XSS (modifying localStorage in your own browser)
Security researchers who have helped us improve:
To be updated after first responsible disclosure.
We follow responsible disclosure best practices. Reporters who follow this policy will be credited (unless they prefer anonymity).