๐ก๏ธ Responsible Disclosure and Vulnerability Management
๐ฏ Protecting Users Through Transparent Security Practices
This project is under active development, and we provide security updates for the latest version only. Please ensure you're using the latest version of the project to receive security updates.
| Version | Supported |
|---|---|
| latest | โ |
We take the security of the Black Trigram (ํ๊ด) project seriously. If you have found a potential security vulnerability, we kindly ask you to report it privately, so that we can assess and address the issue before it becomes publicly known.
A vulnerability is a weakness or flaw in the project that can be exploited to compromise the security, integrity, or availability of the system or its data. Examples of vulnerabilities include, but are not limited to:
- Unauthenticated access to sensitive data
- Injection attacks (e.g., SQL injection, cross-site scripting)
- Insecure defaults or configurations
- Insufficient access controls
- Remote code execution
Please follow these steps to privately report a security vulnerability:
- On GitHub.com, navigate to the main page of the Black Trigram repository.
- Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.
- In the left sidebar, under "Reporting", click Advisories.
- Click Report a vulnerability to open the advisory form.
- Fill in the advisory details form. Provide as much information as possible to help us understand and reproduce the issue.
- At the bottom of the form, click Submit report.
After you submit the report, the maintainers of the game repository will be notified. They will review the report, validate the vulnerability, and take necessary actions to address the issue. You will be added as a collaborator and credited for the security advisory.
Upon receipt of a vulnerability report, our team will:
- Acknowledge the report within 48 hours
- Validate the vulnerability within 7 days
- Develop and release a patch or mitigation within 30 days, depending on the complexity and severity of the issue
- Publish a security advisory with a detailed description of the vulnerability and the fix
We appreciate your effort in helping us maintain a secure and reliable project. If your report results in a confirmed security fix, we will recognize your contribution in the release notes and/or a public acknowledgment, unless you request to remain anonymous.
Thank you for helping us keep the game project and its users safe.
Black Trigram applies defense-in-depth supply-chain controls aligned with the Hack23 Open Source Policy, Vulnerability Management Policy, and Secure Development Policy:
| Control | Implementation | Workflow |
|---|---|---|
| OSSF Scorecard | Automated weekly scoring; SARIF uploaded to GitHub code scanning and results published to the OpenSSF API | scorecards.yml |
| OpenSSF Best Practices | Project ID 10777 maintained at passing tier | bestpractices.dev/projects/10777 |
| SLSA Level 3 Provenance | Every release ships a signed intoto.jsonl build attestation |
/attestations |
| CycloneDX SBOM | SPDX + CycloneDX SBOM published with every GitHub Release | release.yml |
| CodeQL SAST | Pull-request and weekly scheduled runs across JavaScript/TypeScript | codeql.yml |
| OWASP ZAP DAST | Active dynamic scan against the deployed game on each release | zap-scan.yml |
| Lighthouse Performance & Security | Best-practices, performance, accessibility, SEO budgets enforced | lighthouse-performance.yml |
| Accessibility (WCAG 2.1 AA) | Automated axe-core checks on every PR | accessibility-test.yml |
| Dependency Review | GitHub Dependency Review on every PR; blocks high-severity vulns | dependency-review.yml |
| Dependabot | Weekly updates with auto-merge for low-risk patches | .github/dependabot.yml |
| Pinned GitHub Actions | All third-party actions pinned to commit SHAs | WORKFLOWS.md |
| Signed commits | All maintainer commits signed with verified GPG/SSH keys | Access Control Policy |
| Hardened runners | step-security/harden-runner enforced on every workflow |
All workflows |
| Asset audit | Image, audio, and video assets scanned for license/integrity | audit-assets.yml |
๐ Live status: see the consolidated badge wall in README.md and the full pipeline catalogue in WORKFLOWS.md.
For comprehensive security documentation and our Information Security Management System (ISMS):
- ๐ ISMS-PUBLIC Repository - Complete ISMS framework, policies, and procedures
- ๐บ๏ธ ISMS Reference Mapping - Complete mapping of ISMS policies referenced by Black Trigram
- ๐ก๏ธ Threat Model - Security threat analysis and risk assessment
- ๐ CRA Assessment - EU Cyber Resilience Act compliance
- ๐๏ธ Security Architecture - Current security implementation
Our commitment to transparency means all security policies, risk assessments, and compliance documentation are publicly available for review.
- ๐ Information Security Policy - Overall security governance
- ๐ Vulnerability Management - Security testing and remediation procedures
- ๐จ Incident Response Plan - Security incident handling
- ๐ ๏ธ Secure Development Policy - Security-integrated SDLC practices
- ๐ท๏ธ Classification Framework - Business impact and risk assessment
- ๐ก๏ธ Security Architecture - Current security implementation
- ๐ฎ Future Security Architecture - Planned security enhancements
- ๐ฏ Threat Model - STRIDE analysis and attack trees
- ๐ CRA Assessment - EU Cyber Resilience Act compliance
- ๐บ๏ธ ISMS Reference Mapping - Complete ISMS policy mapping
- ๐ End-of-Life Strategy - Security patching and support lifecycle
- ๐ Workflows - Security-hardened CI/CD pipelines
- ๐ง Development Guide - Security features and testing strategy
- ๐ Change Management - Risk-controlled change processes
- ๐ค Third Party Management - Supplier security assessment
- ๐ ISMS Transparency Plan - Public disclosure strategy
- ๐ Open Source Policy - Open source governance
๐ Document Control:
โ
Approved by: James Pether Sรถrling, CEO
๐ค Distribution: Public
๐ท๏ธ Classification: 
๐
Effective Date: 2026-04-21
โฐ Next Review: 2026-07-21
๐ฏ Framework Compliance: 
