We take the security of Nine Realities Netcode seriously. While this is primarily a research and documentation project, we want to ensure that any code examples or implementations are secure and follow best practices.
If you discover a security vulnerability in:
- Code examples
- Documentation that could lead to insecure implementations
- Dependencies or build processes
- Website or infrastructure
Please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please:
- Email: Send details to the repository owner via GitHub's private vulnerability reporting feature
- GitHub Security Advisory: Use the "Security" tab > "Report a vulnerability"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-3 days
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Best effort
| Version | Supported |
|---|---|
| main | β |
| < 2.0 | β |
We only support the latest version on the main branch.
When implementing netcode based on this research:
- Never trust client input: Always validate on the server
- Rate limiting: Implement input rate limits
- Sanity checks: Reject physically impossible actions
- Anti-cheat: Implement server-side verification
- Encryption: Use TLS/SSL for all network communication
- Authentication: Implement proper auth before accepting inputs
- DDoS Protection: Rate limit connections and packets
- Input validation: Sanitize all client data
- All code examples are educational and may need hardening for production
- Review and audit before using in production systems
- Add additional validation and error handling
- Implement proper logging and monitoring
Client prediction can be exploited if:
- Server doesn't validate actions
- Rollback windows are too large
- Physics simulation has vulnerabilities
Mitigation: Implement strict server-side validation and reasonable rollback limits.
Stored inputs could be replayed to exploit rollback mechanics.
Mitigation: Include timestamps, sequence numbers, and server-side validation.
Clients may attempt to send invalid state data.
Mitigation: Server maintains authoritative state; reject impossible transitions.
This project has not undergone professional security auditing. Code examples are provided for educational purposes and should be reviewed before production use.
For security concerns:
- Use GitHub's private vulnerability reporting
- Tag @POWDER-RANGER in security-related discussions
- Check existing security advisories before reporting
We appreciate responsible disclosure and will credit security researchers who report valid vulnerabilities (with permission).
Remember: This is research and educational material. Always consult with security professionals when implementing production netcode systems.