| Version | Supported |
|---|---|
| 0.1.x | ✅ Yes |
| < 0.1 | ❌ No |
This is a solo open-source project with no dedicated security team.
For security issues:
-
Open a private GitHub Security Advisory at:
https://github.com/twiks228/ClackUI/security/advisories/new -
Or open a regular GitHub issue labelled
securityif the vulnerability is low-severity and does not expose user data.
There is no email contact at this time.
ClackUI is a UI rendering library. It does not:
- Make network requests
- Store user data
- Handle authentication
- Access the filesystem except for font loading
| Area | Notes |
|---|---|
| Buffer overflows in text handling | Reportable |
| Memory corruption in arena allocator | Reportable |
| Crashes from malformed font files (TTF/OTF) | Reportable |
| Out-of-bounds reads in JSON theme loader | Reportable |
| Null pointer dereference in public API | Reportable |
| Area | Reason |
|---|---|
| Input sanitisation | App responsibility |
| Clipboard contents | OS responsibility |
| OpenGL driver bugs | Vendor responsibility |
| Crash from intentionally malformed app code | Not a library bug |
ClackUI uses stb_truetype which was not designed as a
security-hardened font parser.
Recommendation: Only load fonts from your own application bundle. Do not allow users to supply arbitrary font files.
The loadThemeFromJSON() function does not validate untrusted input.
Recommendation: Only load theme files you control.
As a solo project, response times are best-effort. Critical issues affecting memory safety will be prioritised.
Responsible disclosure is appreciated. If your report leads to a fix, you will be credited in the release notes unless you prefer to remain anonymous.