We are committed to keeping HonestLiar secure. The following versions are currently supported with security updates:

We take security vulnerabilities seriously. If you discover a security issue, please follow these guidelines:

1. Report privately - Do NOT create a public GitHub issue for security vulnerabilities

2. Email us directly - Send details to your security contact email

3. Provide details - Include:

   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if you have one)
   • Your contact information

4. Allow time for response - We aim to respond within 48 hours

5. Give us time to fix - Please allow reasonable time for us to address the issue before public disclosure

• Don't publicly disclose the vulnerability before it's fixed
• Don't exploit the vulnerability beyond what's necessary to demonstrate it
• Don't access, modify, or delete other users' data
• Don't perform attacks that could harm service availability (DDoS, spam, etc.)

If you're running your own instance of HonestLiar:

Required Security Measures:

1. Use HTTPS in production

   // Use SSL certificates (Let's Encrypt, etc.)
   const https = require('https');
   const fs = require('fs');
   
   const options = {
     key: fs.readFileSync('privkey.pem'),
     cert: fs.readFileSync('cert.pem')
   };
   
   https.createServer(options, app).listen(3001);

2. Enable CORS properly

   // Restrict CORS to your domain
   const cors = require('cors');
   app.use(cors({
     origin: 'https://yourdomain.com',
     credentials: true
   }));

3. Use environment variables

   • Never commit .env files
   • Use strong MongoDB credentials
   • Rotate credentials regularly

4. Implement rate limiting

   const rateLimit = require('express-rate-limit');
   
   const limiter = rateLimit({
     windowMs: 15 * 60 * 1000, // 15 minutes
     max: 100 // limit each IP to 100 requests per windowMs
   });
   
   app.use(limiter);

5. Keep dependencies updated

   npm audit
   npm update

If using MongoDB:

1. Enable authentication

   MONGODB_URI=mongodb://username:password@localhost:27017/honestliar
   

2. Use network isolation

   • Don't expose MongoDB directly to the internet
   • Use firewall rules
   • Use VPN or private networks

3. Regular backups

   mongodump --uri="mongodb://localhost:27017/honestliar" --out=backup

4. Enable encryption at rest (MongoDB Enterprise)

Frontend Best Practices:

1. Sanitize user input

   • Never trust user input
   • Validate all data client and server-side
   • Use proper escaping for HTML/JavaScript

2. Don't store sensitive data

   • No passwords or personal info in localStorage
   • Use secure, httpOnly cookies for sessions

3. Content Security Policy

   <meta http-equiv="Content-Security-Policy" 
         content="default-src 'self'; script-src 'self'">

Socket.IO Best Practices:

1. Validate all events

   socket.on("user_action", (data) => {
     if (!isValid(data)) {
       socket.emit("error", "Invalid data");
       return;
     }
     // Process action
   });

2. Implement authentication

   io.use((socket, next) => {
     const token = socket.handshake.auth.token;
     if (isValidToken(token)) {
       next();
     } else {
       next(new Error("Authentication failed"));
     }
   });

3. Rate limit socket events

   • Prevent spam and abuse
   • Disconnect abusive clients

1. No built-in authentication - Server doesn't verify player identity
2. Room codes are simple - 6-character alphanumeric codes
3. No encryption by default - Use HTTPS in production
4. In-memory storage - Data not persisted by default
5. No input sanitization - Implement if exposing to untrusted users

• Add optional authentication system
• Implement rate limiting
• Add input validation and sanitization
• Create security audit checklist
• Add automated security testing

1. Day 0: Vulnerability reported privately
2. Day 1-2: Initial response and acknowledgment
3. Day 3-7: Investigation and fix development
4. Day 8-14: Testing and validation
5. Day 15: Public disclosure and patch release

Security patches are released as soon as possible after a vulnerability is confirmed. Users are notified through:

• GitHub Security Advisories
• Release notes
• Email notifications (if subscribed)

1. Don't share personal information during gameplay
2. Use unique room codes - Don't reuse codes
3. Be cautious with links - Verify the game URL
4. Report suspicious behavior to server operators

1. Monitor logs for suspicious activity
2. Keep software updated regularly
3. Backup data frequently
4. Use strong passwords for databases
5. Enable HTTPS in production
6. Implement rate limiting to prevent abuse
7. Review access logs periodically

If hosting in EU or serving EU users:

1. Implement data deletion - Users should be able to delete their data
2. Privacy policy - Provide clear information about data usage
3. Cookie consent - If using cookies, implement consent mechanism
4. Data retention - Define and enforce data retention policies

This game is recommended for ages 13+. If allowing younger users:

1. Parental consent required for users under 13
2. No personal information collection from children
3. Compliance with COPPA regulations

For security-related inquiries:

• Security Issues: Report privately via email
• General Questions: Use GitHub Discussions
• Non-Security Bugs: Use GitHub Issues

We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be credited in our security advisories (unless they prefer to remain anonymous).

Last Updated: January 2, 2026

This policy is subject to change. Please check back regularly for updates.