| Version | Supported |
|---|---|
| 0.1.x | Yes |
Do not open a public GitHub issue for security vulnerabilities.
Instead, please report them privately using one of the following methods:
Use GitHub's built-in private reporting:
Send details to the maintainer directly. You can find contact information on the @I4cTime GitHub profile.
When reporting, please provide:
- Description of the vulnerability and its potential impact.
- Steps to reproduce or a proof of concept.
- Affected version(s) of ProtonShift.
- Environment details (distro, desktop environment, GPU).
- Suggested fix, if you have one.
| Stage | Timeframe |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix or mitigation | Varies by severity |
| Public disclosure | After a fix is released |
The following areas are in scope for security reports:
- VDF / config writes — unintended modification of Steam or Heroic config files.
- Python backend — command injection through launch options, env vars, or path arguments.
- Electron IPC — unauthorized access through the preload bridge.
- File operations — path traversal in prefix delete, save backup/restore, or open-path.
- Environment variables — injection via
environment.dwrites. - Protontricks execution — unvalidated verb or argument passthrough.
- Vulnerabilities in upstream dependencies (report those to the respective project).
- Issues requiring physical access to an already-unlocked machine.
- Social engineering attacks.
- Bugs in Steam, Heroic, Lutris, MangoHud, or Gamescope themselves.
We're happy to credit security researchers in the release notes unless you prefer to remain anonymous. Let us know your preference when reporting.