We release patches for security vulnerabilities in the following versions:

We take the security of TRACE seriously. If you discover a security vulnerability, please report it responsibly.

⚠️ Please do NOT create a public GitHub issue for security vulnerabilities.

Instead, please report security issues by emailing:

📧 lhildawan@gmail.com

Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Suggested fix (if you have one)
• Your name/handle for acknowledgment (optional)

1. Acknowledgment: We will acknowledge your report within 48 hours
2. Assessment: We will investigate and assess the vulnerability within 7 days
3. Resolution: We aim to release a fix within 30 days for critical issues
4. Disclosure: We will coordinate with you on public disclosure timing

We support responsible disclosure. If you make a good faith effort to:

• Avoid privacy violations and data destruction
• Give us reasonable time to fix issues before public disclosure
• Avoid exploiting issues beyond what's necessary to demonstrate them

We will:

• Not pursue legal action against you
• Work with you to understand and resolve the issue
• Credit you in our security acknowledgments (if desired)

When contributing to TRACE, please follow these security guidelines:

• Never commit secrets (API keys, tokens, passwords)
• XSS Prevention: Always use textContent and createElement() instead of innerHTML
• Input Sanitization: Validate and sanitize all user inputs before rendering
• localStorage Safety: Wrap all storage operations in try-catch blocks
• Content Security Policy: Respect the existing CSP headers - don't add unsafe resources

• Use HTTPS for all external resources (fonts, CDNs)
• Verify Integrity: Add SRI (Subresource Integrity) hashes for external scripts
• Minimal Dependencies: Avoid adding new external dependencies
• Keep dependencies updated and audit for vulnerabilities

• UTC Time Handling: Always use UTC methods to avoid timezone-related bugs
• No Sensitive Data: Don't store or transmit sensitive user information
• Privacy First: Respect user privacy - no tracking or analytics without consent

TRACE currently implements:

• Content Security Policy (CSP) headers
• XSS protection via safe DOM manipulation
• Error handling for localStorage (private browsing support)
• No external JavaScript dependencies (zero supply chain attack surface)

Thank you for helping keep TRACE safe! 🙏