The table below shows which versions of LITH currently receive security fixes. Only the latest stable release is actively maintained.

Please do not report security vulnerabilities through public GitHub Issues.

If you discover a security vulnerability in LITH, report it responsibly using one of the following channels:

Use GitHub's built-in private disclosure workflow:

1. Go to the repository's Security tab
2. Click "Report a vulnerability"
3. Fill in the advisory form

This creates an end-to-end encrypted channel between you and the maintainers.

Send a detailed report to the maintainers at the email address listed in the repository's package.json or GitHub profile. Encrypt your message with the project's PGP key if one is published.

A useful report includes:

• Description — what is the vulnerability and what is its potential impact?
• Affected component — which file, function, or feature is affected?
• Reproduction steps — a minimal, clear sequence of steps to trigger the issue
• Proof of concept — if applicable, include a minimal PoC (but please avoid causing real harm)
• Suggested fix — if you have one, we welcome it
• Environment — browser version, OS, any relevant configuration

We follow responsible disclosure. We will not take legal action against researchers who:

• Report in good faith
• Give us reasonable time to fix before public disclosure
• Do not access, modify, or exfiltrate user data
• Do not cause denial of service or disrupt availability

LITH is a client-side only browser instrument. There is no server, no database, no authentication, and no user data processed. The realistic attack surface is narrow:

• Vulnerabilities in browsers themselves (report to the relevant browser vendor)
• Social engineering attacks against contributors
• Physical attacks
• Denial of service via extremely large numbers of simultaneous browser tabs
• Missing Strict-Transport-Security (HSTS) — depends on hosting configuration, not this project

For researchers, these are the properties LITH relies on:

1. No network requests at runtime. The CSP connect-src 'none' directive blocks all fetch() and XMLHttpRequest calls. The sole external resource load is Google Fonts at page load time, restricted by font-src https://fonts.gstatic.com.

2. No user data persisted. Nothing is written to localStorage, sessionStorage, IndexedDB, or cookies. All state is ephemeral and lives only in the JavaScript IIFE closure for the duration of the page session.

3. AudioContext is gated by user gesture. bootAudio() is only called from pointerdown and keydown event handlers with {once: true}. Browsers independently enforce this policy, but the code also enforces it explicitly.

4. All canvas text comes from internal constants. The strings ROOTS (note names) and INAMES (interval names) are the only values ever passed to canvas draw calls. No user input, URL parameter, or DOM content reaches the canvas renderer.

5. innerHTML is used only for = ''. DOM reset assignments only. No string interpolation, no user-supplied HTML.

We are grateful to security researchers who responsibly disclose vulnerabilities. Credited researchers (with permission) will be listed here.

No CVEs reported yet.