Security Policy

Reportable Issues

When it comes to security we're generally looking for the following items.

• Personal Data Breaches
• Unauthorized access to user's computers or data
• Cloud based security issues
• Permission system breaches and bypasses
• Asset theft/ripping including Avatars and Worlds
• Malicious or self-replicating items

This is not an exhaustive list and you should use your best judgement when making a report. If an issue bothers you please consider reporting it. We would rather know about an issue then not.

Crashes

As Resonite is a Beta/Early Access product, crashes are common and in some cases random. It is therefore ok to report these on our bug tracker.

However, if a crash is easily reproducible or easy to accidentally trigger, then a private report as a security issue is still valid.

Additionally, If a user is maliciously causing crashes please also submit that to our Moderation System.

Private Data

Due to our Peer to Peer infrastructure for sessions and flexibility/openness of in-session development, it can be unclear what we class as private data.

To clarify this, here is a list of common data that we don't consider private:

• Username
• User ID
• Machine ID (This is not a MAC address)
• IP Address
• Steam ID/Username (When Steam networking sockets or rich presence is used)
• Discord ID/Username (When Discord rich presence is used)

Reporting Security Issues

Never, report a security issue through:

• The Resonite Discord
• Our Resonite issue tracker
• Conversations in public Resonite sessions
• Social Media
• Direct messages with Team Members, Mentors, Moderators

Security issues must be reported via our support system.

Reporting format/contents

We don't have a standard format, but when reporting an issue be sure to include as much detail as possible. Try to include:

• What you found?
• How you found it?
• How serious you think it is?
• How many users are aware of it?
• Log Files
• Replication steps
• Screenshots
• Videos

You should also indicate if you'd like to opt out of being credited for this report / discovery. When we resolve issues we may credit you in the change logs unless you opt out.

Reporting Rules

These guidelines are not intended to supersede or to overrule the general Guidelines but are designed to give you some additional guidance in the area of security issues.

We do not ban/restrict users for reporting security issues provided these are followed.

• If your issue requires testing with other users ensure you have their consent before testing issues with/on them.
• Do not publicly disclose or encourage the use of issues you find.
• Do not use issues found to breach our guidelines
• Do not use public sessions as a location to test your issue
• Do not boast/show-off or instill fear within the community regarding an issue

Reporting Process

Once a report has been submitted, the following items will happen:

1. Acknowledgement - A response from our ticket system acknowledging receipt.
2. Further Communication - After review, we may reach out with additional information or questions.
3. Resolution - After the issue is resolved you will be notified.

Report Reviewers

Security reports are only reviewable by Team members.

Bug Bounties / Rewards

We're unable to offer rewards or bounties for reports currently. If this changes we will update this policy.