We release patches for security vulnerabilities in the following versions:

Note: As MetaImGUI is a template project, we recommend always using the latest version. Security updates will be applied to the main branch and included in the next release.

MetaImGUI employs multiple automated security scanning tools:

• CodeQL Analysis: Continuous security analysis for C++ code vulnerabilities
• Dependabot: Automated dependency updates and vulnerability alerts
• Dependency Review: PR-level dependency vulnerability scanning
• Memory Sanitizers: ASAN, TSAN, UBSAN, MSAN for runtime error detection

These automated checks run on every pull request and push to main/develop branches.

We take the security of MetaImGUI seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to:

Security Contact: intothemist@gmail.com

Please include the following information:

• Type of vulnerability
• Full description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if any)
• Your contact information for follow-up questions

When you report a vulnerability, you can expect:

1. Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours.

2. Assessment: We will investigate and validate the vulnerability within 7 days.

3. Updates: We will keep you informed about the progress of resolving the issue.

4. Fix Timeline:

   • Critical vulnerabilities: Fixed within 7 days
   • High severity: Fixed within 30 days
   • Medium/Low severity: Fixed in the next scheduled release

5. Credit: If you wish, we will credit you in the security advisory and release notes.

• Please give us reasonable time to address the vulnerability before any public disclosure.
• We will coordinate with you on the disclosure timeline.
• Once a fix is available, we will publish a security advisory on GitHub.

When using MetaImGUI as a template for your own applications, consider these security best practices:

• Keep dependencies up to date: Regularly update ImGui, GLFW, and other dependencies
• Review third-party code: Audit any additional dependencies you add
• Monitor CVE databases: Watch for vulnerabilities in dependencies

The UpdateChecker makes HTTP(S) requests to GitHub:

• Requests are made over HTTPS to api.github.com
• No sensitive data is transmitted
• Consider adding certificate pinning for production applications
• Review and audit network code before deployment

• Validate user input: Always sanitize and validate data from UI controls
• File paths: Sanitize file paths to prevent directory traversal
• Configuration files: Validate JSON configuration before parsing

• Compiler warnings: Treat warnings as errors (-Werror in CMakeLists.txt)
• Static analysis: Run clang-tidy regularly
• Address sanitizers: Use AddressSanitizer and UndefinedBehaviorSanitizer during development
• Enable security features: Use compiler hardening flags in production:
  • -D_FORTIFY_SOURCE=2
  • -fstack-protector-strong
  • -fPIE -pie (Position Independent Executable)
  • -Wl,-z,relro,-z,now (Full RELRO)

Windows:

• Enable DEP (Data Execution Prevention)
• Enable ASLR (Address Space Layout Randomization)
• Code signing for executables

Linux:

• Use AppArmor or SELinux profiles
• Minimize capabilities and permissions
• Secure file permissions

macOS:

• Code signing and notarization
• Hardened runtime
• Use entitlements appropriately

• Never hardcode secrets: Don't commit API keys, passwords, or tokens
• Use environment variables: For configuration requiring secrets
• Secure storage: Use platform keychain/credential managers
• GitHub Actions secrets: For CI/CD credentials

The built-in UpdateChecker:

• Only notifies users of updates; doesn't auto-download
• Verifies HTTPS connection to GitHub
• Users should verify download integrity using provided SHA256 checksums
• Consider implementing GPG signature verification for releases

The UpdateChecker component fetches release information from GitHub's API:

• Communication: Uses HTTPS (TLS encrypted)
• Data parsed: JSON response from GitHub API
• No code execution: Only displays update information
• User action required: Downloads happen through user's browser, not automatically

Settings may be stored in JSON files:

• Location: ~/.config/MetaImGUI/ (Linux), AppData (Windows)
• Content: Window settings, theme preferences (no sensitive data by default)
• Recommendation: Validate and sanitize before parsing
• Consideration: File permissions should be user-readable only

Current dependencies and their security status:

• ImGui: Regularly updated, actively maintained
• GLFW: Mature library, good security track record
• nlohmann/json: Well-tested, widely used
• libcurl: Keep updated, has security team
• Catch2: Testing framework, not in production binaries

When creating an application from this template:

• Review all dependencies for known vulnerabilities
• Update to latest stable versions of all dependencies
• Enable compiler security flags in CMakeLists.txt
• Implement input validation for all user inputs
• Add authentication/authorization if handling sensitive data
• Use encrypted connections for network communication
• Implement secure credential storage
• Regular security audits and penetration testing
• Set up automated dependency scanning (Dependabot, Snyk)
• Code sign your releases
• Provide SHA256 checksums for downloads
• Document security considerations in your README

We appreciate security researchers who responsibly disclose vulnerabilities. Contributors who help improve security will be recognized here:

(No vulnerabilities reported yet)

Security updates will be announced:

1. GitHub Security Advisories: https://github.com/andynicholson/MetaImGUI/security/advisories
2. Release Notes: Tagged releases on GitHub
3. CHANGELOG.md: Documented in changelog

Subscribe to repository notifications to receive security updates.

If you have questions about this security policy, please contact: intothemist@gmail.com

Last updated: 2025-12-03