DO NOT report vulnerabilities on the GitHub issue tracker. GitHub is public and anyone can see the issues you post on the issue tracker, including people who would exploit vulnerabilities for their own gain.

WARNING: You may put live servers at risk by reporting a vulnerability on the GitHub issue tracker.

Contact us by sending an email to security@pmmp.io. Include the following information:

• Version of PocketMine-MP
• Detailed description of the vulnerability (e.g. how to exploit it, what the effects are)
• Your GitHub username, if you wish to be credited for reporting the problem in the security advisory

Please note that we can't guarantee a reply to every email.

No.

This depends on the nature of the problem. We can't provide any general ETA (nor would it be wise to provide one). In general, it depends on when developers have time to look into the problem, how complex the problem is to fix, and how many users it impacts.

When a fix for a severe vulnerability is pushed, a patch release for the target version will usually be released within 24 hours so that users can update.