If you discover a security vulnerability in GPF, please report it privately to help us address it before public disclosure.
Please do NOT open a public GitHub issue for security vulnerabilities.
Instead, report security issues via one of these methods:
- Discord (Recommended): Join our Discord server and send a private message to @maintainers
- GitHub Security: Use GitHub's private vulnerability reporting feature
- Email: For sensitive issues, request maintainer contact information via Discord
Please provide:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if you have one)
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Varies based on severity
When building games with GPF, follow these security guidelines:
Always validate messages with [FromClient] attribute:
[FromClient]
private void Handler(UpdateScore msg)
{
// Validate input
if (msg.Score < 0 || msg.Score > 1000000)
return;
this.score = msg.Score;
}Only make ServerObjects [Syncable] if clients need to see the data. Keep sensitive data in non-syncable ServerObjects.
Never trust client-provided values for game-critical logic. All authoritative decisions must be made server-side.
Use proper authentication for production games. See docs/guides/AUTHENTICATION_GUIDE.md.
- Security Guide - Complete security best practices
- Production Checklist - Pre-deployment security review
Security updates are provided for the latest major version. Older versions may not receive security patches.
Once a security issue is fixed:
- We will release a patch
- Credit will be given to the reporter (unless they prefer anonymity)
- Details will be disclosed after users have time to update
Thank you for helping keep GPF secure!