We take the security of Plot and the projects in the plot-ws organization seriously. This policy applies org-wide and explains how to report a vulnerability and what to expect from us in return.

Plot is delivered as a hosted service plus published engine SDKs, demos, and starters. Security fixes are made against the latest released version of each SDK and the current hosted platform. We don't backport fixes to older SDK releases — if you're affected by a security issue, the expected remedy is to update to the latest version. If updating isn't possible for you, mention that in your report and we'll discuss options.

Please report security issues privately. Do not open a public GitHub issue, pull request, or Discord message for a suspected vulnerability — public disclosure before a fix is available puts other developers and players at risk.

Instead, email:

To help us triage quickly, please include as much of the following as you can:

• A clear description of the issue and its potential impact.
• The affected component — hosted platform, a specific SDK (plot-unity / plot-godot / plot-defold / plot-unreal), a starter, or a demo — and version where applicable.
• Step-by-step instructions to reproduce, ideally with a minimal proof of concept.
• Any relevant logs, requests, or configuration (with secrets redacted).
• How you'd like to be credited, if at all.

If you'd like to encrypt your report, say so in a first email and we'll arrange a secure channel.

• Acknowledgement within 3 business days that we've received your report.
• An initial assessment and a sense of severity and next steps, typically within a week of acknowledgement.
• Ongoing updates as we investigate and work on a fix. We'll let you know when a fix is released.

Timelines can vary with the complexity of the issue; we'll keep you informed if something takes longer.

We follow a coordinated-disclosure approach and ask that you do too:

• Give us a reasonable window to fix the issue before any public disclosure. We aim to remediate valid vulnerabilities promptly; for most issues a window of up to 90 days is reasonable, and we'll work with you if more or less time makes sense.
• Don't access, modify, or delete data that isn't yours, and don't degrade the service for others while testing.
• Stay within scope (below) and avoid privacy violations, data destruction, and service disruption.

If you act in good faith and follow this policy, we will not pursue or support legal action against you for your research, and we're happy to credit you for the report once a fix is in place.

In scope:

• The Plot hosted platform and APIs at plot.ws and its subdomains.
• The published engine SDKs: plot-unity, plot-godot, plot-defold, plot-unreal.
• The starter and demo repositories: plot-io-starter, plot-lobby-starter, plot-coop-starter, plot-showcase.

Out of scope:

• Findings that require physical access to a user's device, or social-engineering of Plot staff or users.
• Denial-of-service, volumetric, or rate-limit-exhaustion testing against the live service.
• Vulnerabilities in third-party dependencies or platforms that we don't control, unless you can demonstrate a concrete, exploitable impact on Plot.
• Reports generated solely by automated scanners with no demonstrated, exploitable impact.
• Best-practice suggestions (e.g. missing headers) without a real-world security impact — these are welcome, but please send them to contact@plot.ws rather than as a vulnerability report.

If you're not sure whether something is a security issue, err on the side of caution and email security@plot.ws. Thank you for helping keep Plot and its community safe.