Tamentai has security as a core product goal. The project is not yet production-ready, but security-sensitive decisions should be handled carefully from the beginning.

Tamentai does not have stable releases yet.

Until the first public release, security reports should target the main branch unless a release branch is explicitly documented.

If you find a security issue, please do not disclose it publicly first.

Use GitHub's private vulnerability reporting if it is enabled for the repository. If it is not enabled yet, contact the maintainers through a private channel listed on the GitHub organization or repository profile.

When reporting, include:

• affected commit, branch, or release;
• steps to reproduce;
• expected and actual behavior;
• impact;
• whether the issue is already public;
• any proof-of-concept code or sample data needed to reproduce the issue.

These areas require extra care:

• plugin loading and execution;
• package signing and verification;
• game and plugin manifests;
• save file loading;
• project importers;
• archive extraction;
• networked gameplay;
• launcher update logic;
• Godot/native integration boundaries;
• any future WebAssembly host API;
• filesystem or network capabilities.

• Game data should be inert. Loading data should not execute arbitrary code.
• Plugins should use explicit capabilities and least privilege.
• Signatures prove identity and integrity, not safety.
• Untrusted files should be parsed defensively.
• Runtime behavior should be deterministic where compatibility or online validation depends on it.
• Avoid hidden filesystem, process, network, or OS access from plugin code.
• Prefer simple, reviewable dependencies for security-critical paths.

General security design discussion is welcome in public issues and discussions.

Please keep exploit details private until maintainers have had a reasonable chance to investigate and fix the issue.