Warpkeep is a live, admission-gated Alpha, not a finished or publicly open game. Security reports are welcome and are handled on a best-effort basis.
| Version | Status |
|---|---|
| Alpha 0.3 development line | Best-effort security fixes |
| Earlier prototypes and snapshots | Unsupported |
Please do not disclose a vulnerability, reproduction, or sensitive evidence in a public issue, pull request, discussion, cast, or direct message.
- If Report a vulnerability is available on this repository's Security page, use GitHub Private Vulnerability Reporting.
- If it is unavailable, request a private reporting channel without including
technical details. Open a content-free GitHub issue titled
Security contact request, or contact the project owner through the already-public GitHub profile. Wait for a private channel before sharing the report.
An initial report should contain only what is needed to triage safely:
- the affected version, commit, URL, or component;
- the security impact and required attacker access;
- minimal, non-destructive reproduction steps using synthetic data;
- whether the issue may already be public or actively exploited;
- a safe way to continue the conversation privately.
Never send live access tokens, private keys, seed phrases, passwords, SIWF messages or signatures, QR payloads, channel tokens, credentialed URLs, or real user identity evidence. Redact logs and screenshots. Do not probe production at volume, access another user's data, or mutate shared game state while preparing a report.
The project will acknowledge and investigate reports as availability permits, coordinate remediation and disclosure where appropriate, and credit reporters who request it. There is no response-time guarantee and no bug-bounty program.