Skip to content

Security: akshay2211/DrawBox

Security

SECURITY.md

Security Policy

Supported Versions

Version Status Security fixes
2.0.x (KMP) Active development Yes
1.x (Android) Legacy, superseded by 2.0.x Critical only

The active KMP line (2.0.x) is the recommended target for all new integrations. The Android-only 1.x line is in maintenance mode.

Reporting a Vulnerability

Please do not open a public GitHub issue for security reports.

Report vulnerabilities privately via GitHub's Private Vulnerability Reporting form, or by email to fxn769@gmail.com with the subject line DrawBox security report.

Please include:

  • A description of the issue and its impact.
  • Steps to reproduce, ideally a minimal sample project.
  • The DrawBox version and platform target (Android, iOS, JVM, WASM).
  • Any relevant logs, stack traces, or proof-of-concept code.

Response Expectations

  • Acknowledgement: within 7 days of report.
  • Triage and initial assessment: within 14 days.
  • Fix or mitigation plan: communicated within 30 days for confirmed issues.

Timelines may shift for complex issues; in that case the reporter will be kept informed.

Disclosure Policy

DrawBox follows coordinated disclosure:

  1. The reporter and maintainer agree on a fix and a disclosure date.
  2. A patched release is published to Maven Central and tagged on GitHub.
  3. A GitHub security advisory is published describing the issue, affected versions, and the fix.

Credit is given to reporters who request it.

Scope

In scope:

  • The published io.ak1:drawbox library artifacts.
  • Sample applications in this repository (androidApp, iosApp, desktopApp, webApp) when the issue stems from library code.
  • Build, release, and CI configuration that affects what ships to consumers.

Out of scope:

  • Vulnerabilities in third-party dependencies — please report those upstream. We will track and update affected dependencies once fixes are available.
  • Issues that require an attacker to already have arbitrary code execution on the host application.

There aren't any published security advisories