This Security Policy outlines the guidelines for ensuring the safety and integrity of the RealEngine project, community members, and code contributions. We encourage a proactive approach to security, and any identified vulnerabilities or concerns should be reported and addressed swiftly.

All contributors to the RealEngine repository must adhere to secure coding practices, including:

• Input validation: Ensure all inputs from users and external systems are validated.
• Least Privilege: Apply the principle of least privilege to all code and components. Only expose the necessary parts of the system.
• Cryptographic Practices: Use industry-standard cryptography to protect sensitive data.

If you discover a security vulnerability in RealEngine or related systems, please follow the steps below:

1. Do not publicly disclose vulnerabilities until they are resolved.
2. Report the vulnerability by opening a private issue on GitHub or via email to [[email protected]].
3. Provide as much detail as possible, including:
   • Reproduction steps
   • Affected components
   • Potential impact
   • Suggested mitigation (if any)

Security must be a priority during code reviews. All pull requests will be subject to security checks, and contributors are encouraged to:

• Review code for any security flaws or vulnerabilities.
• Use automated tools to scan for common vulnerabilities.
• Ensure all security patches are tested before merging.

RealEngine uses third-party dependencies to reduce development time. All dependencies must:

• Be regularly checked for security updates and patches.
• Be reviewed for security risks before integration.
• Be up-to-date with the latest stable and secure versions.

All contributors should follow the principle of least privilege with respect to repository access and permissions. Maintain access only to necessary areas and use multi-factor authentication (MFA) where applicable.

Ensure that any personal or sensitive data, whether from users or developers, is handled securely:

• Sensitive data must be encrypted during storage and transmission.
• Personal data must be anonymized wherever possible.

Regular audits should be conducted on the repository to identify vulnerabilities, misconfigurations, and security gaps. Security audits should include:

• Codebase vulnerability scanning.
• Dependency audits.
• System architecture reviews.

We encourage everyone in the RealEngine community to:

• Stay informed about the latest security developments in the field of game engines.
• Participate in discussions around improving the security of RealEngine.
• Be mindful of social engineering tactics and phishing attempts, and report any suspicious activity.

By following these practices, we can ensure RealEngine remains secure and trusted by the community.