We provide security updates for the following versions of Emotive Engine:

We take security seriously. If you discover a security vulnerability in Emotive Engine, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please use GitHub Security Advisories to privately report security issues.

Include in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if available)
• Your contact information for follow-up

We are committed to handling security reports promptly:

We use the following severity levels based on CVSS v3.1 scoring:

• Remote code execution
• Arbitrary code injection
• Response: Patch within 14 days

• XSS vulnerabilities
• Prototype pollution
• Denial of service
• Response: Patch within 30 days

• Information disclosure
• CSRF vulnerabilities
• Logic flaws
• Response: Patch in next minor release

• Minor information leaks
• Configuration issues
• Response: Patch in next scheduled release

Emotive Engine implements multiple security layers:

• Input Validation: All configuration parameters are validated and sanitized
• Output Encoding: Canvas rendering prevents injection attacks
• Dependency Scanning: Automated vulnerability checks via npm audit
• Secure Defaults: All dangerous features disabled by default

• Content Security Policy (CSP): Compatible with strict CSP policies
• Sandboxing: Isolated execution context
• Memory Safety: Object pooling prevents memory exhaustion
• Error Handling: Sensitive information never exposed in error messages

• Supply Chain: Dependencies pinned to specific versions
• Build Reproducibility: Deterministic builds with checksums
• Code Signing: Planned for future releases
• SBOM: Planned for future releases

• Performance Monitoring: Built-in performance APIs
• Audit Logging: Available through custom event handlers

Stay informed about security updates:

1. GitHub Security Advisories: https://github.com/joshtol/emotive-engine/security/advisories
2. npm Security Advisories: Automatic notifications for npm users
3. GitHub Releases: https://github.com/joshtol/emotive-engine/releases
4. GitHub Watch: Click "Watch" → "Custom" → "Security alerts"

When a security patch is released:

1. Immediate Action Required:

   npm update @joshtol/emotive-engine
   # or
   npm install @joshtol/emotive-engine@latest

2. Verify the Update:

   import EmotiveMascot from '@joshtol/emotive-engine';
   console.log(EmotiveMascot.version); // Check version number

3. Review Release Notes: https://github.com/joshtol/emotive-engine/releases

We follow responsible disclosure principles:

• We will acknowledge your report within 24 hours
• We will keep you informed of our progress
• We will credit you in the security advisory (unless you prefer anonymity)
• We will not pursue legal action against good-faith security researchers

• We request a 90-day embargo before public disclosure
• We will work with you to coordinate disclosure timing
• We will publish a security advisory when patches are available
• We will credit researchers who follow responsible disclosure

// ✅ Good: Minimal privilege configuration
const mascot = new EmotiveMascot({
    canvasId: 'safe-canvas',
    emotion: 'neutral',
});

// ❌ Bad: Accepting untrusted user input
const emotion = getUserInput(); // NEVER DO THIS
mascot.setEmotion(emotion); // Could be malicious

Always validate user input before passing to Emotive Engine:

// ✅ Whitelist approach
const ALLOWED_EMOTIONS = ['joy', 'neutral', 'calm', 'excited'];

function setUserEmotion(userInput) {
    if (ALLOWED_EMOTIONS.includes(userInput)) {
        mascot.setEmotion(userInput);
    } else {
        console.warn('Invalid emotion rejected:', userInput);
    }
}

Emotive Engine is compatible with strict CSP. Recommended policy:

<meta
    http-equiv="Content-Security-Policy"
    content="default-src 'self';
               script-src 'self' 'unsafe-eval';
               worker-src 'self' blob:;
               connect-src 'self';"
/>

Note: unsafe-eval is required for dynamic gesture loading (optional feature).

Regularly audit your dependencies:

npm audit
npm audit fix

Monitor for updates:

npm outdated

Emotive Engine uses HTML5 Canvas, which can theoretically be used for browser fingerprinting. This is an inherent property of Canvas APIs and not specific to our implementation.

Mitigation: If privacy is critical, consider:

• Using privacy-focused browsers with canvas fingerprinting protection
• Implementing canvas noise injection (browser extensions)
• Limiting mascot deployment to authenticated users only

Emotive Engine has zero runtime dependencies — nothing is bundled from node_modules. The optional 3D module requires three as a peer dependency (installed separately by the consumer). All dev dependencies are:

• Regularly audited for vulnerabilities
• Pinned to specific versions
• Reviewed before updates

Timing attacks based on animation performance are theoretically possible but have minimal practical risk for typical use cases.

• Code reviews required for all security-relevant changes
• Automated SAST scanning on every commit
• Dependency vulnerability checks on every build
• Manual penetration testing quarterly

Emotive Engine is designed to support compliance with:

• ✅ GDPR (EU General Data Protection Regulation) - No personal data collection by default
• ✅ CCPA (California Consumer Privacy Act) - No personal data collection by default
• ✅ WCAG 2.1 AA (Web Content Accessibility Guidelines) - Accessible animation controls

• Security Issues: Use GitHub Security Advisories
• General Questions: Open an issue

We thank the following security researchers for responsible disclosure:

Last Updated: 2026-02-27 Version: 3.4.0

Emotive Engine is committed to maintaining the security and privacy of our users. Thank you for helping us keep our software safe.