StarStats is a hobby project run by a single maintainer. We take security seriously but the response surface is one person, so set your expectations accordingly. The disclosures below describe how to report a problem, what's in scope, how to verify release artifacts, and which dependency advisories we have already triaged and accepted.

Please do not open a public issue for security problems.

Preferred channel — GitHub Security Advisories (private): https://github.com/ntatschner/StarStats/security/advisories/new. This goes straight to the maintainer and is invisible until we publish.

Email channel — security@starstats.app. Goes to the same maintainer. The mailbox lives on the project's primary domain, so domain-MX changes don't affect this address. PGP not yet available; if you want an encrypted channel, mention it in your first message and we'll arrange one.

We aim to acknowledge within 7 days and to triage within 30. Critical issues affecting authentication, account takeover, unintended data disclosure, or the release-signing chain get prioritised over everything else, including ongoing feature work.

We do not run a paid bug-bounty programme. We are happy to credit researchers in the corresponding GHSA / release notes if you'd like the recognition.

• The Tauri tray client (crates/starstats-client and apps/tray-ui), including how it stores the RSI session cookie, parses Game.log, and handles updater downloads.
• The API server (crates/starstats-server), including auth, device pairing, ingest, query endpoints, the OIDC discovery surface (/.well-known/*), and the audit log.
• The web app (apps/web), including login, session cookies, email verification, share-link flows, and any code path that reaches the API server on the user's behalf.
• The updater pipeline end-to-end: per-channel manifests at release-manifests/{alpha,beta,rc,live}.json on main, the Tauri updater config in crates/starstats-client/tauri.conf.json, the signed installers themselves, and the minisign signatures CI produces during the release workflow.
• The WiX / NSIS Windows installers (StarStats_<version>_x64-setup.exe and the .msi), including elevation behaviour, install-path handling, upgrade metadata, and any custom action.
• The auto-update signature chain: the minisign keypair used to sign updater payloads, the code-signing certificate used for the Windows installer, and the chain of trust from a fresh install to a verified update.
• Database migrations and schema in crates/starstats-server/migrations — including any path that could leak data across users or bypass row-level checks.

• RSI's own services. The Roberts Space Industries website, Spectrum, the launcher, and the game itself are not ours to defend. Report vulnerabilities in those to RSI directly.
• Third-party dependencies with their own security pipelines. Issues in upstream crates / npm packages should be reported to the upstream maintainer (or via the Rust Security Response WG / GitHub advisory database). If a triaged advisory becomes exploitable in our codebase, that's in scope and we'll re-open; see the accepted-advisories table below.
• Social-engineering of the maintainer. Phishing, account-recovery abuse, credential stuffing against the maintainer's personal accounts, and similar are not paid attack surface; if something worked you can let us know but it isn't a vulnerability in StarStats.
• Volumetric DoS / DDoS. The hosted server runs on a single homelab host.
• Self-XSS or attacks that require a malicious extension already installed in the victim's browser.
• Bugs in unreleased branches. Wait until they reach an alpha release.

If you find StarStats doing something that would trip Easy Anti-Cheat, that is an in-scope security issue (it'd be a bug in the project's core invariant). The posture itself is documented in EAC-SAFETY.md.

Every tagged release publishes signed installers plus a per-platform minisign signature in the GitHub release assets. The auto-updater verifies these signatures automatically; if you'd like to verify a download by hand:

RWREXTOuz2vAwn392/m6ZqHYEg89ZxiCAh6p6jIjCtAlozSk/mJidZyI

This key is also embedded in crates/starstats-client/tauri.conf.json under plugins.updater.pubkey (base64-encoded for Tauri's config layout). Both copies must match — if they don't, the updater would refuse to apply an update, and you should refuse to trust the release.

# 1. Confirm Authenticode signature (signed with the project code-signing cert):
Get-AuthenticodeSignature .\StarStats_<version>_x64-setup.exe

# 2. Confirm the minisign signature attached to the installer's updater bundle
#    (download the matching .sig from the GitHub release page):
minisign -V -P RWREXTOuz2vAwn392/m6ZqHYEg89ZxiCAh6p6jIjCtAlozSk/mJidZyI `
         -m StarStats_<version>_x64-setup.exe `
         -x StarStats_<version>_x64-setup.exe.sig

# AppImage:
minisign -V -P RWREXTOuz2vAwn392/m6ZqHYEg89ZxiCAh6p6jIjCtAlozSk/mJidZyI \
         -m StarStats_<version>_amd64.AppImage \
         -x StarStats_<version>_amd64.AppImage.sig

If a verification step fails, do not run the installer. Open a GitHub Security Advisory or email security@starstats.app with the artifact filename, the release tag, and the exact failure message.

For deeper detail see apps/web/src/app/privacy/page.tsx §9, which describes what's customer-visible. In summary:

• Passwords: Argon2id.
• Sessions: HttpOnly + Secure cookies, 1-hour TTL.
• API tokens: RS256 JWT signed by an on-disk key generated at first boot.
• TOTP secrets: AES-256-GCM-encrypted with a file-based KEK (totp-kek.bin), fresh nonce per encrypt, never logged.
• Recovery codes: Argon2-hashed; we cannot read them back.
• Magic-link tokens: 15-minute, single-use, atomic UPDATE … RETURNING redeem so a token can't be replayed.
• Interim 2FA tokens: 5-minute, single-use, useless without the matching second factor.
• Anti-enumeration: magic-link start and password-reset start return the same response shape regardless of whether the email maps to an account, with timing equalised on the miss path.
• RSI session cookie (tray client only): stored in the OS keychain (Windows Credential Manager / macOS Keychain / Linux Secret Service) — only the same OS user that pasted the cookie can read it back.

The following Dependabot advisories have been triaged and accepted as non-exploitable in this codebase. They remain dismissed in the GitHub Dependabot panel with a tolerable_risk rationale; this section restates the reasoning so it survives outside the GitHub UI.

All five rustls/aws/lru entries below clear automatically once aws-sdk-s3 can be bumped past =1.110.0 — the workspace currently pins it for MSRV reasons. The glib entry clears once Tauri bumps its gtk dependency upstream.

If any of these become reachable in our codebase (for example, if we add CRL checking, take user-controlled region input, or call VariantStrIter directly), revisit the relevant row. Bumping aws-sdk-s3 past =1.110.0 clears the first five in one shot.