We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 0.5.x | ✅ |
| 0.4.x | ❌ |
| < 0.4 | ❌ |
We take the security of POE2 HTC seriously. If you discover a security vulnerability, please follow these steps:
Please do not create a public GitHub issue for security vulnerabilities, as this could put users at risk.
Send an email to dboire@student.42.fr with:
- Subject:
[SECURITY] Brief description of the vulnerability - Description: Detailed description of the vulnerability
- Steps to Reproduce: Clear steps to reproduce the issue
- Impact: What an attacker could potentially do
- Affected Versions: Which versions are affected
- Suggested Fix: If you have one (optional)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Status Updates: Every week until resolved
- Fix Timeline: Depends on severity
- Critical: 1-7 days
- High: 1-4 weeks
- Medium: 1-2 months
- Low: Next scheduled release
- We will work with you to understand and fix the issue
- We will credit you in the security advisory (if you wish)
- We will coordinate public disclosure with you
- Typical disclosure timeline: 90 days after fix is released
- Download only from official sources:
- GitHub Releases
- Never download from third-party sites
- Verify file checksums if provided
- Use the auto-updater to stay current
- The application runs locally on your machine
- No data is sent to external servers
- All calculations happen client-side
- Backend server only listens on
localhost:8080
The application requires:
- File System: To store logs and configuration
- Network: Only for localhost communication (frontend ↔ backend)
- No Sensitive Data: Application doesn't access or store sensitive information
- Enable auto-updates in settings
- Review release notes for security fixes
- Keep your system and dependencies updated
The Java backend runs on localhost:8080:
- Only accessible from your machine
- No external network access
- No authentication required (local-only)
- Windows Firewall may prompt - this is normal
We follow Electron security best practices:
- Context isolation enabled
- Node integration disabled in renderer
- Content Security Policy in place
- No remote code execution
We regularly update dependencies to patch known vulnerabilities:
- Frontend: npm packages
- Backend: Maven dependencies
- Electron framework
- Bundled JRE
Check npm audit and Maven dependency reports in CI/CD.
- ✅ Local execution only
- ✅ No telemetry or tracking
- ✅ No cloud services
- ✅ Open source (auditable)
- ✅ Sandboxed Electron renderer
- ✅ Automatic updates with signature verification
- ✅ GitHub Actions security scanning
- ✅ Dependency vulnerability checks
- ✅ Code review process for all changes
- ✅ Automated builds (no manual tampering)
If you have questions about security that don't involve a vulnerability, you can:
- Open a GitHub Discussion
- Contact us at dboire@student.42.fr
We appreciate security researchers who help keep our users safe. Contributors will be listed here:
No security issues reported yet.
Thank you for helping keep POE2 HTC secure! 🛡️