Send a private security report by going to https://github.com/pmmp/PocketMine-MP/security and clicking the "Report a vulnerability" button.
Warning
DO NOT report vulnerabilities on the Issues tab. Report them in the Security tab ONLY.
The issue tracker is public to view, which means that malicious actors may learn about exploits from a public issue.
You may put live PocketMine-MP servers at risk by reporting a vulnerability on the GitHub issue tracker.
If you can't or don't want to use the GitHub system, you can also contact us by sending an email to security@pmmp.io. Include the following information:
- Version of PocketMine-MP
- Detailed description of the vulnerability (e.g. how to exploit it, what the effects are)
- Your GitHub username, if you wish to be credited for reporting the problem in the security advisory
Please note that we can't guarantee a reply to every email.
No.
This depends on the nature of the problem. We can't provide any general ETA (nor would it be wise to provide one). In general, it depends on when developers have time to look into the problem, how complex the problem is to fix, and how many users it impacts.
When a fix for a severe vulnerability is pushed, a patch release for the target version will usually be released within 24 hours so that users can update.