Not every hidden thing is a vulnerability. Some are acorns buried in the dark, waiting to become forests. Know the difference.
Echo S Studios takes security seriously โ and we also build transmedia systems with intentional embedded data layers. This document clarifies the difference and tells you how to report real issues.
If you discover a security vulnerability in any Echo S Studios repository, please report it responsibly.
| Method | Details |
|---|---|
| Primary | Open a private security advisory via the affected repository's Security tab on GitHub |
| Fallback | Open a private issue or contact a maintainer directly |
- Description of the vulnerability
- Steps to reproduce
- Affected repository and file(s)
- Potential impact assessment
| Timeline | Action |
|---|---|
| 48 hours | We acknowledge your report |
| 7 days | We provide an initial assessment |
| Ongoing | We keep you informed of remediation progress |
| On fix | We credit you (unless you prefer anonymity โ consent-first, always) |
- Cross-site scripting (XSS) in any interactive page or GitHub Pages site
- Injection vulnerabilities in any dynamic content
- Authentication or authorization flaws
- Exposure of secrets, credentials, or private data
- Dependency vulnerabilities in Node.js or Python packages
- Misconfigured GitHub Actions workflows that could leak secrets
The transmedia architecture includes intentional embedded data layers. These are features, not flaws. The labyrinth has doors that are supposed to be hidden.
| Feature | Explanation |
|---|---|
| LSB steganography | Images may contain encoded narrative data. This is by design. The acorn hides inside the pixel. |
| Memory encoding | Chronicle documents may contain structured metadata invisible to casual readers. This is narrative architecture. |
| Zero-width characters | If present, these are detectable and intentional. We are aware of these techniques and use detection where appropriate. |
| aria-hidden attributes | Used as standard W3C accessibility practice, not as AI directives or hidden instructions. |
| Narrative-embedded coordinates | Story documents may contain mathematical constants, coordinates, or encoded references as part of the transmedia experience. |
If you're unsure whether something you found is an intentional feature or a real vulnerability โ report it anyway. We'd rather review a narrative mechanic twice than miss a real issue.
| Practice | Details |
|---|---|
| Prompt injection awareness | Interactive systems that process user input are designed with injection resistance |
| Dependency management | We monitor for known vulnerabilities in project dependencies |
| Zero-width character detection | We maintain awareness of embedding techniques and deploy detection where appropriate |
| Secret scanning | Repository secrets are managed through GitHub's built-in secret scanning |
| Static HTML preference | Many projects are pure static HTML โ no server-side processing, minimal attack surface |
- We don't store user credentials
- We don't process payments directly
- We don't run server-side applications in production (GitHub Pages is static hosting)
- We don't collect personal data beyond standard GitHub interaction
Security updates are applied to the main branch of each active repository.
| Project | Supported |
|---|---|
| The Index | โ Latest main branch |
| Interactive examples (Quantum APL, Tesseract, etc.) | โ Latest main branch |
| Archived / legacy repos | โ Not actively maintained |
We appreciate security researchers who help keep Echo S Studios safe. Responsible reporters will be credited in the relevant repository's changelog โ if they consent to being named.
Consent-first, always. Even in gratitude.