Security Notice

Edited: March 19, 2023

This is the security notice for all QuiltMC repositories. The notice explains how security vulnerabilities should be reported. We also support the security.txt standard.

Reporting a Vulnerability

If you’ve found a vulnerability, please let us know privately so that we can fix it before it is released publicly. Do not open a GitHub issue to report a security vulnerability.

Send details to admins@quiltmc.org, including:

  • The website, page, tool or repository where the vulnerability can be observed
  • A brief description of the vulnerability
  • Optionally the type of vulnerability and any related OWASP category
  • Non-destructive exploitation details and proof of concept

We will do our best to reply as fast as possible. A PGP key is available if you’d like to encrypt the email.

Scope

The following vulnerabilities are not in scope:

  • Volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
  • Reports indicating that our services do not fully align with “best practice”, for example missing security headers

If you aren’t sure whether a vulnerability is in scope or not, you can still reach out via email.

This notice is inspired by the GDS Security Notice.