If you find a security vulnerability in any module of this repository, please do not open a public GitHub issue.
Instead, open a private security advisory: https://github.com/wujiajunhahah/focux-engines/security/advisories/new
Include:
- The affected module (
engines/*,core/harness-protocol,hardware/echowrist, …) - A description of the vulnerability and its impact
- Reproduction steps or proof-of-concept
- Any suggested mitigation
We aim to acknowledge reports within 7 days and provide a more substantive update within 30 days.
This repository contains research-prototype code. The threat model in scope covers:
- Information leakage from sensor data pipelines
- Insecure defaults in
core/harness-protocolWebSocket transport - Vulnerabilities in
hardware/echowristfirmware that could expose users - Supply-chain risks in dependencies declared by modules under this repo
Out of scope:
- Vulnerabilities in third-party hardware (LeLamp, WAVELETECH wristband, etc.)
- Vulnerabilities in the FocuX iOS application or the focux.me website (those live in separate repositories)
- Issues that require physical access to the device beyond what is already required to attach a sensor
We follow a 90-day coordinated disclosure timeline by default. If you need a longer or shorter window, mention it in the report and we will discuss.