Skip to content

Security: MirrorNetworking/Mirror

Security

Report a vulnerability

SECURITY.md

Security Policy

Supported Versions

Mirror & Mirror LTS are both supported for security fixes.

Reporting a Vulnerability

Please email security [at] mirror-networking.com to report a vulnerability.
You can also contact us in our Discord for faster replies.

You can expect a reply within 24-48 hours.
We will keep you updated on our steps to mitigate issues every 2-4 weeks.

Timelines

  • Critical vulnerabilities can be expected to be patched within 1-2 weeks.
  • Medium risk vulnerabilities can be expected to be patched within 2-3 weeks.
  • Low risk vulnerabilities will be patched within 3-4 weeks.

Bug Bounty

Depending on the severity of the exploit, we offer a $50 - $500 bug bounty.

Specifically we are looking for:

  • Ways to crash a Mirror server.
  • Ways to exploit a Mirror server.
  • Ways to leave a Mirror server in undefined state.

We are not looking for DOS/DDOS attacks, as those are expected to be handled by the hosting infrastructure.

Notifications

In case of security breaches, Mirror users will be informed in our Discord server and release changelogs. Since we collect no user data, you are recommended to read the changelog and follow our Discord announcements.

There aren’t any published security advisories