| Version | Supported |
|---|---|
| Latest release | ✅ |
| Older releases | ❌ |
Only the most recent release receives security updates. We recommend always running the latest version.
Do not open a public issue for security vulnerabilities.
If you discover a security vulnerability in this project, please report it responsibly via GitHub Security Advisories.
Your report should include:
- A clear description of the vulnerability.
- Precise steps to reproduce the issue.
- The potential impact or attack scenario.
- Any suggested mitigation or fix, if applicable.
| Stage | Target |
|---|---|
| Acknowledgement | Within 72 hours |
| Initial assessment | Within 7 days |
| Fix or mitigation | Within 30 days of confirmation |
| Public disclosure | After fix is released, with reporter credit (unless anonymity is requested) |
This policy covers the Assets And Map Editor source code and its official release binaries.
It does not cover:
- Third-party NuGet dependencies — report those to their respective maintainers.
- Game server software, custom Tibia clients, or community modifications.
- User-generated configuration files or game assets.
Every official release published on the Releases page includes a checksums.sha256 file containing SHA-256 hashes for all build artifacts.
Verify on Linux / macOS:
sha256sum --check checksums.sha256Verify on Windows (PowerShell):
Get-FileHash disttopic-assets-and-map-editor-windows-x64.zip -Algorithm SHA256Compare the output hash against the corresponding entry in checksums.sha256. Do not run a binary whose hash does not match.
Because our releases are not yet commercially code-signed, Windows Defender SmartScreen may show an "Unknown publisher" or "unrecognized app" warning. This is a reputation-based check, not a detection of malicious code.
To verify authenticity independently:
- Download only from the official GitHub Releases page.
- Verify the SHA-256 checksum as described above.
- Review the CI/CD pipeline — every release binary is built directly from source in a transparent, auditable GitHub Actions workflow.
- Optionally, build from source yourself following the build instructions.
We are actively working toward code signing for future releases to eliminate this friction.
- Download releases only from the official GitHub Releases page.
- Always verify the SHA-256 checksum before running a downloaded binary.
- Keep your installation up to date.
- Do not run the application with elevated privileges (it does not require them).
Thank you for helping keep this project secure.