Currently supported versions with security updates:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of Orb seriously. If you believe you have found a security vulnerability, please report it to us responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please email security reports to:
- [Your Email Here]
Include as much information as possible:
- Type of vulnerability
- Full paths of affected source files
- Location of the affected code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue
- We will acknowledge receipt of your vulnerability report within 48 hours
- We will provide a more detailed response within 7 days
- We will work with you to understand and resolve the issue
- We will notify you when the issue is fixed
- We will credit you in our security advisory (unless you prefer to remain anonymous)
When using Orb:
- Keep Updated: Always use the latest version
- WebView Security: Be aware that tab WebViews load external content
- URL Validation: Be cautious when opening untrusted URLs
- File Permissions: Review file permissions when installing
- Dependencies: Keep system WebView engines updated
- Each tab uses a WebView to render web content
- Standard web security policies apply (CORS, CSP, etc.)
- No special sandboxing beyond system WebView engine
- Communication between Go and JavaScript is intentional
- All bound functions are documented
- No arbitrary code execution from web content to Go
- The UI WebView only loads local trusted files
- No remote content in the 3D space UI
- Tab WebViews follow standard browser security
Security updates will be released as soon as possible after a vulnerability is confirmed. Updates will be announced via:
- GitHub Security Advisories
- Release notes
- Project README
We appreciate responsible disclosure and the security research community's efforts to make Orb safer for everyone.