We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: [Your Email Here]
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
- Report received - We acknowledge receipt within 48 hours
- Assessment - We evaluate severity and impact (1-7 days)
- Fix developed - We create and test a patch (varies by complexity)
- Disclosure - We coordinate disclosure timing with reporter
- Release - We publish fix and security advisory
- Recognition - We credit reporter (unless they prefer anonymity)
- Mod Loader DLL - Injection vulnerabilities, privilege escalation
- GUI Launcher - Remote code execution, credential theft
- Mod Repository - Malicious file upload, XSS, injection attacks
- SDK - API vulnerabilities that affect all mods
- Individual mods (report to mod authors)
- Social engineering attacks
- Denial of service from excessive mod installations
- Issues already known and documented
- Issues in third-party dependencies (report upstream)
- Download from official sources - Use mods.sbgmodloader.com
- Check reviews - Read ratings and comments before installing
- Scan mods - Use antivirus on downloaded files
- Keep updated - Use the latest mod loader version
- Validate input - Never trust user input
- Minimize permissions - Request only what you need
- Avoid native code - When possible, use safe APIs
- Document security - Note any elevated permissions needed
- Test thoroughly - Check edge cases and malformed data
- No secrets in code - Don't commit API keys, passwords, etc.
- Secure dependencies - Keep libraries updated
- Code review - Security implications should be reviewed
- Principle of least privilege - Grant minimum necessary access
- DLL Injection - The mod loader uses DLL injection, which antivirus may flag. This is expected behavior.
- Game Memory Access - Mods can read/write game memory. Only install trusted mods.
- Native Code Execution - Mods run as native code with full system privileges.
- File Uploads - We validate uploads but cannot guarantee safety. Use antivirus.
- Automated Checks - Our validation is not foolproof. Report suspicious mods.
- Checksums - Verify file integrity when downloading directly.
We follow coordinated disclosure:
- Security researcher reports issue privately
- We confirm and develop a fix
- We coordinate disclosure timing (typically 90 days)
- We publish fix and advisory simultaneously
- We credit researcher (with permission)
Published security advisories can be found at:
- GitHub Security Advisories
- Website Security Page (coming soon)
We currently do not offer a bug bounty program, but we deeply appreciate responsible disclosure and will publicly credit researchers who report valid issues.
For security concerns:
- Email: [Your Email Here]
- Urgent: Please include "SECURITY" in subject line
For general issues:
- GitHub Issues: Create an issue
Thank you for helping keep SBG Mod Loader and our community safe! 🔒