Skip to content

Security: twiks228/ClackUI

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.1.x ✅ Yes
< 0.1 ❌ No

Reporting a Vulnerability

This is a solo open-source project with no dedicated security team.

For security issues:

  1. Open a private GitHub Security Advisory at: https://github.com/twiks228/ClackUI/security/advisories/new

  2. Or open a regular GitHub issue labelled security if the vulnerability is low-severity and does not expose user data.

There is no email contact at this time.


What ClackUI Does

ClackUI is a UI rendering library. It does not:

  • Make network requests
  • Store user data
  • Handle authentication
  • Access the filesystem except for font loading

Security Scope

In Scope

Area Notes
Buffer overflows in text handling Reportable
Memory corruption in arena allocator Reportable
Crashes from malformed font files (TTF/OTF) Reportable
Out-of-bounds reads in JSON theme loader Reportable
Null pointer dereference in public API Reportable

Out of Scope

Area Reason
Input sanitisation App responsibility
Clipboard contents OS responsibility
OpenGL driver bugs Vendor responsibility
Crash from intentionally malformed app code Not a library bug

Known Limitations

Font Parsing

ClackUI uses stb_truetype which was not designed as a security-hardened font parser.

Recommendation: Only load fonts from your own application bundle. Do not allow users to supply arbitrary font files.

JSON Theme Loading

The loadThemeFromJSON() function does not validate untrusted input.

Recommendation: Only load theme files you control.


Response

As a solo project, response times are best-effort. Critical issues affecting memory safety will be prioritised.


Acknowledgements

Responsible disclosure is appreciated. If your report leads to a fix, you will be credited in the release notes unless you prefer to remain anonymous.


There aren't any published security advisories