| Version | Status | Security fixes |
|---|---|---|
2.0.x (KMP) |
Active development | Yes |
1.x (Android) |
Legacy, superseded by 2.0.x |
Critical only |
The active KMP line (2.0.x) is the recommended target for all new integrations. The Android-only 1.x line is in maintenance mode.
Please do not open a public GitHub issue for security reports.
Report vulnerabilities privately via GitHub's Private Vulnerability Reporting form, or by email to fxn769@gmail.com with the subject line DrawBox security report.
Please include:
- A description of the issue and its impact.
- Steps to reproduce, ideally a minimal sample project.
- The DrawBox version and platform target (Android, iOS, JVM, WASM).
- Any relevant logs, stack traces, or proof-of-concept code.
- Acknowledgement: within 7 days of report.
- Triage and initial assessment: within 14 days.
- Fix or mitigation plan: communicated within 30 days for confirmed issues.
Timelines may shift for complex issues; in that case the reporter will be kept informed.
DrawBox follows coordinated disclosure:
- The reporter and maintainer agree on a fix and a disclosure date.
- A patched release is published to Maven Central and tagged on GitHub.
- A GitHub security advisory is published describing the issue, affected versions, and the fix.
Credit is given to reporters who request it.
In scope:
- The published
io.ak1:drawboxlibrary artifacts. - Sample applications in this repository (
androidApp,iosApp,desktopApp,webApp) when the issue stems from library code. - Build, release, and CI configuration that affects what ships to consumers.
Out of scope:
- Vulnerabilities in third-party dependencies — please report those upstream. We will track and update affected dependencies once fixes are available.
- Issues that require an attacker to already have arbitrary code execution on the host application.