We release patches for security vulnerabilities in the following versions:

We take the security of Evil Wordle seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. GitHub Security Advisories (Preferred)

   • Navigate to the Security tab
   • Click "Report a vulnerability"
   • Fill out the form with details about the vulnerability

2. Direct Contact

   • Email: Create an issue and mention @karth2512 for security concerns
   • Include "[SECURITY]" in the subject line

Please include the following information to help us better understand the nature and scope of the issue:

• Type of vulnerability (e.g., XSS, dependency vulnerability, etc.)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
• Updates: We will send you regular updates about our progress
• Timeline: We aim to patch critical vulnerabilities within 7 days of confirmation
• Credit: If you wish, we will publicly credit you for the discovery once the vulnerability is fixed

While using Evil Wordle:

1. Keep Dependencies Updated: If you're running a local instance, regularly update dependencies using npm update
2. Use HTTPS: Always access the game through HTTPS (enforced on GitHub Pages)
3. Browser Security: Use an up-to-date browser with security features enabled
4. Local Storage: Game data is stored in browser localStorage - clear it if using a shared computer

As a client-side-only application hosted on GitHub Pages:

• Custom security headers (CSP, HSTS) cannot be configured
• All game logic runs in the browser and can be inspected
• Game statistics are stored locally and not backed up

• ✅ Automated dependency vulnerability scanning (Dependabot)
• ✅ Regular npm audit checks in CI/CD pipeline
• ✅ CodeQL static analysis scanning
• ✅ Minimal dependency footprint
• ✅ HTTPS enforced by GitHub Pages
• ✅ No sensitive data collection or storage
• ✅ React's built-in XSS protection

The following are considered in scope for vulnerability reports:

• Dependency vulnerabilities
• Cross-Site Scripting (XSS)
• Client-side code injection
• Supply chain security issues
• Build pipeline security issues

The following are considered out of scope:

• Issues requiring physical access to a user's device
• Social engineering attacks
• Denial of Service (DoS) attacks
• Issues in third-party dependencies already reported upstream
• Game logic exploits (intentionally client-side)

This security policy may be updated from time to time. We will notify users of any significant changes.

Last Updated: January 2026