We take the security of UniversalDeviceToolkit-Plugins seriously. If you discover a security vulnerability, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please report privately via one of these methods:
-
GitHub Security Advisories (preferred):
- Go to the Security Advisories page
- Click "New draft security advisory"
- Fill in the vulnerability details
-
Email:
- Send an email to: security@ssc-studio.dev
- Use GPG encryption if possible (key available on request)
Please include as much of the following as possible:
- Type of vulnerability (e.g., privilege escalation, code injection, DLL hijacking)
- Affected plugin(s) and version(s)
- Step-by-step reproduction instructions
- Proof-of-concept code (if available)
- Potential impact assessment
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix release: Within 2 weeks for critical issues, 4 weeks for others
- Public disclosure: After the fix is released and users have had time to update
This policy applies to:
- All official plugins in the
Plugins/directory - The plugin SDK in
SDK/ - The PluginWorkbench and PluginTooling tools in
Tools/
Security researchers who report vulnerabilities responsibly will be:
- Credited in the release notes (unless they prefer to remain anonymous)
- Added to the Security Hall of Fame (coming soon)
Thank you for helping keep UniversalDeviceToolkit-Plugins secure! 🔒