Security

Last updated: May 5, 2026

This page is the canonical disclosure policy referenced by our security.txt file. It also explains, in plain terms, what software runs on your machine when you play Project Remnant and what data flows where — so you can make an informed call before installing anything.

1. How to report

Email bmtuer@gmail.com with a description of the issue, steps to reproduce, and any proof-of-concept you have. Please do not file public GitHub issues for security problems.

We aim to acknowledge reports within 3 business days. We are a solo project — patient, structured reports get a much better outcome than drive-by drops.

2. Scope

The following are in scope:

• The Project Remnant game client (the Electron .exe distributed via the launcher)
• The Project Remnant launcher (RemnantLauncher.exe) and its auto-update path
• The Project Remnant game server API
• This public website

The following are out of scope and will be closed without action:

• Vulnerabilities in third-party platforms (Supabase, Vercel, Railway, Resend, GitHub) — please report those directly to the vendor
• Social engineering or phishing of staff or players
• Physical attacks, or attacks requiring physical access to a player's already-compromised machine
• Volumetric denial-of-service or stress testing
• Findings on already-publicly-disclosed CVEs in dependencies — we patch on standard cadence
• Self-XSS, missing security headers without a working exploit, clickjacking on pages with no sensitive actions, missing SPF/DKIM, or other report-only findings

3. Safe harbor

If you research in good faith, stay within the scope above, avoid privacy violations and service degradation, and give us a reasonable window to fix issues before public disclosure, we will not pursue or support legal action against you, and we will not refer your activity to law enforcement.

"Good faith" means: you do not access more data than is necessary to demonstrate the issue, you do not modify or delete data that does not belong to you, and you do not use the finding to harass, extort, or harm other players.

4. Disclosure timeline

We practice coordinated disclosure. Our standard request is up to 90 days between report and public disclosure, longer if the fix is genuinely complex and we are actively working on it. We're happy to negotiate a shorter window for low-severity issues or issues that are easy to patch.

5. Rewards

No monetary rewards at this time. Project Remnant is a pre-launch solo project with no revenue. If your report leads to a meaningful fix and you'd like public credit, we'll happily acknowledge you in the patch notes for the release that closes the issue. Tell us in your report whether you want credit and how you'd like to be named.

6. Stack & data flow

What runs and where, in plain terms.

6.1 On your machine

• Launcher
• Game client

6.2 Server-side

• Game server
• Account & game databases

6.3 Third-party services

• Vercel
• Supabase
• Railway
• Resend
• Sentry
• GitHub
• Discord

Data-handling commitments and player rights are documented separately in the Privacy Policy.