At 0trace, we take security seriously and aim to keep the project safe and secure. This Security Policy outlines the versions supported for security updates, how to report security vulnerabilities, and the best practices for maintaining the integrity of the project.

To ensure that users and contributors are protected, we provide security updates for specific versions of 0trace. Please refer to the table below to see which versions are currently supported.

• Any version below 1.0.x is no longer supported and will not receive security updates. Please update to the latest stable release to ensure you are protected.

If you discover a security vulnerability in 0trace, we encourage responsible disclosure. Here's how you can report it securely:

1. Do not disclose the vulnerability publicly until it has been resolved to prevent exploitation.
2. Please contact us via email at security@0trace.com to report the issue.
3. Include the following information in your report:
   • Steps to reproduce the vulnerability.
   • Potential impact of the issue.
   • Affected versions (if known).
   • Any other relevant details that could help us resolve the issue quickly.

• We will acknowledge your report within 24 hours.
• You can expect updates about the progress of the fix, including a patch release or workarounds, within 7 days for critical issues.
• Non-critical issues will be evaluated and may be addressed in future releases.

We take several measures to ensure the security of 0trace:

We periodically audit the codebase to identify and fix vulnerabilities.

We regularly update and manage dependencies to mitigate risks from outdated or insecure libraries. Tools like Dependabot help us stay on top of security patches.

All sensitive data exchanges are encrypted using HTTPS. We follow privacy best practices and do not collect personal data unless explicitly stated.

We ensure only trusted contributors have access to sensitive areas of the repository. Access is managed via GitHub Teams, and two-factor authentication (2FA) is required.

If a security vulnerability is identified:

• A security patch will be released as soon as possible.
• Security updates will be documented in the CHANGELOG.md with the tag security update.
• Users should update to the latest release to ensure their systems are secure.

We welcome security researchers to help improve the safety of 0trace:

• Fork the repository and perform security testing.
• Submit pull requests for security fixes, which will be reviewed and integrated if they meet the project's standards.

We are committed to protecting user privacy:

• No personal data is collected or stored unless required for multiplayer features.
• Any user-generated content is securely stored and anonymized.
• Sensitive information is always protected using strong encryption protocols.

As a contributor, you should follow these best practices:

1. Validate all user inputs to prevent security vulnerabilities like injection attacks.
2. Always sanitize data passed between components.
3. Adhere to the principle of least privilege: only give components the minimum permissions they need.
4. Use HTTPS for all external API interactions.
5. Test your code for security issues before submitting a pull request.

While 0trace is designed to be secure, no software can be guaranteed to be completely free of vulnerabilities. We urge all users and contributors to keep their systems up-to-date and practice good security hygiene, such as using strong passwords and regularly updating their software.

For any security-related concerns or to report a vulnerability, please contact us via email at security@0trace.com. If you encounter an urgent security issue, please include detailed information to help us address it quickly.

Thank you for helping us keep 0trace secure! 💪🔐