Do not open a public GitHub Issue, Discussion, or pull request to report a security vulnerability. Public disclosure before a fix is available puts all Lore users at risk.
Report through Epic Games' security channels:
- Primary — Epic Games HackerOne program: https://hackerone.com/epicgames
- Alternative — email: security@epicgames.com
Use the subject line "Lore Go SDK security" when reporting by email.
Epic doesn't pursue legal action against researchers acting in good faith under this policy.
- A description of the vulnerability and how it can be exploited
- Step-by-step reproduction, or a minimal reproduction program
- The affected SDK version (check your
go.mod) - Your Go version, OS, and CPU architecture
- Impact assessment — what can an attacker do?
- Your name and affiliation for credit (or note if you prefer anonymity)
This file covers the github.com/EpicGames/lore-go Go module and its
platform binaries. Vulnerabilities in the underlying Lore wire protocol,
lore-capi, or loreserver are also in scope — mention which component is
affected.
The full response timeline, embargo tracks, supported-version policy, CVE coordination, and bug bounty terms are governed by the Lore project security policy and apply uniformly to the SDK:
If you do not receive an acknowledgement within 7 days, follow up at security@epicgames.com with "Lore Go SDK security" in the subject line.