Back to overview
Security Policy

Report a vulnerability privately.

If you believe you have found a security vulnerability in LuminalShine, please report it through GitHub’s private security advisory channel — not as a public issue. The team will triage, investigate, and develop a fix, and keep you informed at each step.

Report a security issue Published advisories

Response targets

Initial response

We aim to respond within 72 hours (excluding weekends) acknowledging receipt and assigning a triage owner.

Coordinated disclosure

Once a fix is ready, the advisory is published with credit to the reporter (unless you ask to remain anonymous), a CVE if applicable, and notes on affected and fixed versions.

Supported versions

Only the versions listed below receive security fixes. Older releases may carry known unpatched issues.

Major version Status Notes
26.x Supported Current GA and pre-release line. Receives security and bugfix updates.
< 26 End of life Pre-LuminalShine branches (Sunshine / Vibeshine forks). Upgrade to the current LuminalShine release.

Scope

In scope

The LuminalShine service, MSI / EXE installer custom actions, WebRTC and HTTPS endpoints, paired-client authentication, and the in-tree drivers we maintain.

Out of scope

Upstream Sunshine vulnerabilities — please report those at LizardByte/Sunshine. Third-party Moonlight clients are not maintained by NortheBridge.

What to include in a report

A useful report typically contains:

  • A clear description of the vulnerability and impact.
  • Reproduction steps and the affected LuminalShine version.
  • Your Windows build (winver), GPU, and driver version where relevant.
  • Any proof-of-concept code or captured traffic (please trim secrets).
  • Suggested CVSS, if you have a confident assessment.