Security Notice

This is the security notice for all Modrinth repositories. The notice explains how vulnerabilities should be reported.

Reporting a Vulnerability

If you've found a vulnerability, we would like to know so we can fix it before it is released publicly. Do not open a GitHub issue for a found vulnerability.

Send details to jai@modrinth.com including:

  • the website, page or repository where the vulnerability can be observed
  • a brief description of the vulnerability
  • optionally the type of vulnerability and any related OWASP category
  • non-destructive exploitation details

We will do our best to reply as fast as possible.

Scope

The following vulnerabilities are not in scope:

  • volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
  • reports indicating that our services do not fully align with "best practice", for example missing security headers

If you aren't sure, you can still reach out via email or direct message.


This notice is inspired by the Python Discord Security Notice.

Version 2022-11