Skip to content

Security: Comunidad-de-Programadores/NotePad2

Security

SECURITY.md

Security Policy

Leer en Español

Supported Versions

Version Supported
2.0.x
< 2.0

Reporting a Vulnerability

We take the security of Bloc de Notas 2 seriously. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.

How to Report

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please send an email to: support@blocnotas2.com

Include the following in your report:

  1. Description of the vulnerability
  2. Steps to reproduce the issue
  3. Impact assessment - what could an attacker achieve?
  4. Affected versions of the application
  5. Suggested fix (if you have one)

What to Expect

  • Acknowledgment: We will acknowledge your report within 48 hours
  • Assessment: We will assess the vulnerability within 5 business days
  • Resolution: We aim to fix critical vulnerabilities within 14 days
  • Disclosure: We will coordinate with you on public disclosure timing

Scope

The following are in scope for security reports:

  • Bloc de Notas 2 desktop application (Electron)
  • Bloc de Notas 2 web/PWA application
  • Official build and distribution infrastructure
  • Data stored locally on the user's machine

Out of Scope

  • Vulnerabilities in third-party dependencies (report these to the respective projects)
  • Issues that require physical access to the user's machine
  • Social engineering attacks
  • Denial of service attacks

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized and not subject to legal action
  • Helpful to the project and community
  • Worthy of recognition in our security acknowledgments

Recognition

We maintain a list of security researchers who have responsibly disclosed vulnerabilities. With your permission, we will add your name to our security acknowledgments.

Security Best Practices for Users

  1. Keep the app updated to the latest version
  2. Back up your data regularly using the built-in backup feature
  3. Be cautious with imported files from untrusted sources
  4. Review Git remotes before pushing sensitive data

Security Architecture

Bloc de Notas 2 implements the following security measures:

  • Context Isolation: Electron's context isolation is enabled
  • Node Integration Disabled: nodeIntegration: false in renderer
  • Content Security: HTML content is sanitized with DOMPurify
  • Local-First: Data is stored locally by default, minimizing cloud exposure
  • No Telemetry: No data is sent to external servers without user consent

There aren’t any published security advisories