Mirror & Mirror LTS are both supported for security fixes.
Please email security [at] mirror-networking.com to report a vulnerability.
You can also contact us in our Discord for faster replies.
You can expect a reply within 24-48 hours.
We will keep you updated on our steps to mitigate issues every 2-4 weeks.
- Critical vulnerabilities can be expected to be patched within 1-2 weeks.
- Medium risk vulnerabilities can be expected to be patched within 2-3 weeks.
- Low risk vulnerabilities will be patched within 3-4 weeks.
Depending on the severity of the exploit, we offer a $50 - $500 bug bounty.
Specifically we are looking for:
- Ways to crash a Mirror server.
- Ways to exploit a Mirror server.
- Ways to leave a Mirror server in undefined state.
We are not looking for DOS/DDOS attacks, as those are expected to be handled by the hosting infrastructure.
In case of security breaches, Mirror users will be informed in our Discord server and release changelogs. Since we collect no user data, you are recommended to read the changelog and follow our Discord announcements.