We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of Motionary seriously. If you discover a security vulnerability, please follow these steps:
Please do not create a public GitHub issue for security vulnerabilities.
Send a detailed report to: [your.email@example.com]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 5 business days
- Fix Timeline: Depends on severity
- Critical: 1-3 days
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Next release cycle
- Security issue is reported privately
- We confirm the issue and determine severity
- We develop and test a fix
- We release a patched version
- We publicly disclose the vulnerability (with credit to reporter, if desired)
When using Motionary in production:
-
Keep Dependencies Updated
npm audit npm update
-
Use Environment Variables
- Never commit sensitive data
- Use
.env.localfor secrets
-
Content Security Policy
- Configure proper CSP headers
- Whitelist trusted sources
-
Rate Limiting
- Implement rate limiting for production APIs
- Prevent abuse of interactive features
- All motion effects run client-side
- No server-side data processing
- User inputs are not stored or transmitted
We regularly audit:
- Framer Motion
- React Three Fiber
- GSAP
- Next.js
- Animations use standard Web APIs
- No eval() or unsafe code execution
- Respects browser sandboxing
Subscribe to security updates:
- Watch this repository
- Enable GitHub security alerts
- Follow release notes
We appreciate responsible disclosure and will acknowledge security researchers (with permission) in:
- Security advisories
- Release notes
- CONTRIBUTORS.md
Thank you for helping keep Motionary secure! 🔒