This is the security notice for all Modrinth repositories. The notice explains how vulnerabilities should be reported.
Reporting a Vulnerability
If you've found a vulnerability, we would like to know so we can fix it before it is released publicly. Do not open a GitHub issue for a found vulnerability.
Send details to firstname.lastname@example.org including:
- the website, page or repository where the vulnerability can be observed
- a brief description of the vulnerability
- optionally the type of vulnerability and any related OWASP category
- non-destructive exploitation details
We will do our best to reply as fast as possible.
The following vulnerabilities are not in scope:
- volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
- reports indicating that our services do not fully align with "best practice", for example missing security headers
If you aren't sure, you can still reach out via email or direct message.
This notice is inspired by the Python Discord Security Notice.