We take security seriously and actively maintain security updates for the following versions:
| Version | Supported | WebGL Support | TypeScript | Status |
|---|---|---|---|---|
| 0.1.x | ✅ Yes | WebGL 2.0+ | ✅ Yes | Active |
| 0.2.x | ✅ Yes (Upcoming) | WebGL 2.0+ | ✅ Yes | Planned |
Ninth.js is committed to maintaining the highest standards of security for our users and their applications. We recognize that 3D graphics libraries are often used in enterprise environments, educational institutions, and production applications where security is paramount.
- Security by Design: Security considerations are built into every aspect of the library
- Proactive Defense: We monitor for security threats and vulnerabilities continuously
- Transparent Communication: We disclose security issues promptly and clearly
- Community Responsibility: We work with the community to maintain a secure ecosystem
We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please follow these guidelines:
Please do not create public GitHub issues for security vulnerabilities, as this could put users at risk before a fix is available.
Report security vulnerabilities through one of these secure channels:
- Email: security@9thjs.com (PGP key available on request)
- GitHub Security: Use GitHub's private vulnerability reporting feature
- Discord: Direct message to @9thjs-security on our Discord server
When reporting, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if applicable)
- Environment details (browser, WebGL version, OS)
- Proof of concept (if safe to share)
We commit to responding to security reports according to this timeline:
- Initial Response: Within 24 hours of receiving your report
- Investigation: Within 3-5 business days
- Fix Development: Varies by complexity (typically 1-4 weeks)
- Security Advisory: Within 1 week of fix deployment
Ninth.js implements several security measures related to WebGL:
- All shaders run in a sandboxed WebGL context
- No direct access to system resources
- Shader compilation errors are caught and handled safely
- No dynamic shader generation from user input without validation
- CORS Compliance: All asset loading respects CORS policies
- Content-Type Validation: Strict MIME type checking for loaded assets
- Size Limits: Configurable limits on asset sizes to prevent DoS
- Integrity Verification: Optional Subresource Integrity (SRI) support
- Automatic memory cleanup to prevent memory leaks
- Safe handling of WebGL resources (textures, buffers, shaders)
- Protection against buffer overflows and underflows
- Zeroing of sensitive data after use
- All user input is validated and sanitized
- Buffer bounds checking on all array operations
- Type validation for shader uniforms and attributes
- Safe parsing of JSON and configuration data
- Secure defaults for all configuration options
- Validation of all configuration parameters
- Protection against configuration injection
- Safe handling of environment variables
- Static code analysis with ESLint security rules
- Dependency vulnerability scanning with npm audit
- Regular security-focused code reviews
- Automated testing including security-related tests
- Reproducible builds with cryptographic hashing
- Secure build environment isolation
- Dependency pinning to prevent supply chain attacks
- Signed releases for distribution verification
We classify vulnerabilities using the following severity levels:
- Remote code execution
- Privilege escalation
- Data exfiltration
- Response: 24-48 hours for hotfix
- Security feature bypass
- Information disclosure
- Response: 1-2 weeks for patch
- Limited scope security issues
- Response: 2-4 weeks for patch
- Informational security issues
- Response: Next regular release cycle
-
Triage (24 hours)
- Acknowledge receipt of report
- Initial severity assessment
- Assign security team member
-
Investigation (3-5 days)
- Reproduce the issue
- Assess impact and scope
- Identify affected versions
- Develop reproduction steps
-
Fix Development (1-4 weeks)
- Develop security fix
- Implement comprehensive tests
- Review fix for completeness
- Prepare security advisory
-
Testing & Validation (1-2 weeks)
- Internal security testing
- Regression testing
- Performance impact assessment
- Cross-platform validation
-
Release & Communication (1 week)
- Deploy security update
- Issue security advisory
- Update security documentation
- Coordinate with affected users
// ✅ Use secure asset loading
const loader = new GLTFLoader();
loader.setCrossOrigin('anonymous'); // Explicit CORS
loader.load('secure-asset.gltf', onLoad, onError, onProgress);
// ❌ Avoid direct user input in shader sources
const userInput = getUserInput(); // Always sanitize
// const shader = `shader code ${userInput}`; // DON'T DO THIS// ✅ Proper cleanup
const geometry = new BoxGeometry();
const material = new MeshStandardMaterial();
const mesh = new Mesh(geometry, material);
// Later, when removing:
scene.remove(mesh);
geometry.dispose();
material.dispose();// ✅ Validate user inputs
function createMeshFromConfig(config) {
// Validate config structure
if (!config || typeof config !== 'object') {
throw new Error('Invalid configuration');
}
// Validate numeric parameters
const scale = Number(config.scale) || 1;
if (scale < 0 || scale > 1000) {
throw new Error('Scale out of bounds');
}
// Create mesh with validated parameters
return new Mesh(new BoxGeometry(scale, scale, scale));
}If you're using Ninth.js in a CSP environment, add these directives:
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' 'unsafe-eval';
worker-src 'self' blob:;
img-src 'self' data: https:;
connect-src 'self' https: data:;
media-src 'self' https: data:;">// ✅ Use feature detection
if (!window.WebGLRenderingContext) {
console.error('WebGL not supported');
// Provide fallback or error message
}
if (!engine.isWebGL2Supported()) {
// Fallback to WebGL1 or provide alternative
}When reviewing code contributions, check for:
- Input validation on all user data
- Proper bounds checking on arrays and buffers
- Secure handling of shader sources
- No use of eval() or Function constructor
- Proper resource cleanup (dispose patterns)
- No hardcoded secrets or credentials
- Secure random number generation where needed
- Proper error handling without information leakage
All contributions should include security testing:
# Run security-focused tests
npm run test:security
# Lint with security rules
npm run lint:security
# Dependency vulnerability scan
npm audit
# Static security analysis
npm run analyze:securityWebGL operates within the browser's security model:
- Same-Origin Policy: Prevents unauthorized access to cross-origin resources
- CORS Enforcement: Enforces cross-origin resource sharing policies
- Sandbox Isolation: WebGL contexts are sandboxed from the main page
- Permission Models: Browser prompts for sensitive WebGL features
WebGL shaders have built-in security features:
- Limited Instruction Set: Shaders cannot execute arbitrary code
- No Memory Access: Shaders cannot directly access system memory
- Constant Propagation: Compiler optimizations prevent data leakage
- WebGL Context Isolation: Each context is isolated from others
Ninth.js balances security with performance through:
- Runtime Validation: Optional security checks with performance modes
- Trust Boundaries: Clear separation between trusted and untrusted code
- Feature Flags: Disable potentially risky features in production
- Gradual Enforcement: Increasing security checks based on deployment context
Ninth.js aims to comply with:
- OWASP Top 10: Protection against common web vulnerabilities
- CWE/SANS Top 25: Common Weakness Enumeration
- NIST Cybersecurity Framework: Comprehensive security guidelines
- ISO 27001: Information security management
We ensure compatibility with:
- Content Security Policy (CSP): Full CSP compliance
- Subresource Integrity (SRI): Support for cryptographic integrity
- Mixed Content: Proper handling of secure/insecure content
- Cross-Origin Resource Sharing (CORS): Strict CORS compliance
We notify users of security updates through:
- GitHub Security Advisories: Automatic notifications to repository watchers
- Security Mailing List: Monthly security bulletins
- NPM Security Warnings: Built into npm CLI for package users
- Discord Security Channel: Real-time security updates
For applications using Ninth.js:
- Monitor GitHub Security Advisories
- Enable npm security audit:
npm audit - Consider automated dependency updates with tools like Dependabot
- Subscribe to security notification channels
Security support for older versions:
- Current Major Version: Full security support
- Previous Major Version: Security fixes for 12 months
- Older Versions: Security support case-by-case
- Security Lead: security-lead@9thjs.com
- General Security: security@9thjs.com
- Emergency Contact: security-emergency@9thjs.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP public key would be displayed here]
-----END PGP PUBLIC KEY BLOCK-----
- Security Policy: https://9thjs.com/security
- Vulnerability Database: https://security.9thjs.com
- Security Documentation: https://docs.9thjs.com/security
- Security Community: https://discord.gg/9thjs-security
We maintain a security hall of fame for researchers who have responsibly disclosed vulnerabilities:
- Community members who contribute security improvements
- Security auditors who review our code
- Users who report security issues responsibly
This security policy is subject to legal review and may be updated. Current version effective as of the date listed below.
We are currently establishing a bug bounty program for responsible security researchers. Details will be announced soon.
This project uses dependencies that may have their own security requirements. Review the Third-Party Licenses document for complete information.
Last Updated: 2025-11-05
Policy Version: 1.0
Effective Date: 2025-11-05
For questions about this security policy, contact security@9thjs.com