At the moment, only the latest commit on the main branch will be supported for security vulnerabilities. Private server operators
should keep their instances up to date and forks should regularily rebase on main.
| Branch | Supported |
|---|---|
main |
✅ |
If you found a security vulnerability in DLU, please send a message to darkflame-security@googlegroups.com. You should get a reply within 72 hours that we have received your report and a tentative CVSS score. We will do a preliminary analysis to confirm that the vulnerability is a plausible claim and decline the report otherwise.
If possible, please include
- reproducible steps on how to trigger the vulnerability
- a description on why you are convinced that it exists.
- any information you may have on active exploitation of the vulnerability (zero-day).
The project will release advisories on resolved vulnerabilities at https://github.com/DarkflameUniverse/DarkflameServer/security/advisories
We set up darkflame-security-announce@googlegroups.com for private server operators to receive updates on vulnerabilities such as the release of Security Advisories or early workarounds and recommendations to mitigate ongoing vulnerabilities.
Unfortunately, we cannot guarantee that announcements will be sent for every vulnerability.
We propose a 90 day (approx. 3 months) embargo on security vulnerabilities. That is, we ask everyone not to disclose the vulnerabilty publicly until either:
- 90 days have passed from the time the first related email is sent to
darkflame-security@ - a security advisory related to the vulnerability has been published by the project.
If you fail to comply with this embargo, you might be exluded from receiving security updates.
Unfortunately we cannot provide bug bounties at this time.