| Version | Supported |
|---|---|
| 1.x | ✅ Yes |
If you discover a security vulnerability in the TigerTag JavaScript SDK or the TigerTag protocol, please do not open a public GitHub issue.
Report it privately by email:
Please include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Your suggested fix (optional)
We will acknowledge your report within 48 hours and aim to release a fix within 14 days depending on severity.
This policy covers:
- The
tigertagnpm package (src/source) - The TigerTag binary protocol parser and serializer
- The ECDSA-P256 signature verification logic
- The database sync mechanism (
src/db.js)
Out of scope:
- The TigerTag cloud API (contact the manufacturer directly)
- Third-party NFC SDKs used alongside this library
- Chips already deployed in the field