Skip to content

Security: FrostleafDev/VaroX

Security

SECURITY 

# Security Policy for VaroX

## Reporting a Vulnerability

We take the security of VaroX seriously. We greatly appreciate the efforts of security researchers and community members who responsibly disclose vulnerabilities to us.

If you believe you have found a security vulnerability in VaroX, please follow these steps to ensure a coordinated and prompt resolution.

### 1. Responsible Disclosure

**DO NOT** open a public GitHub Issue to report security-sensitive information.

Instead, please send a detailed report directly to the VaroX developer team via one of the following private channels:

* **Email:** security.jozelot.de
* **Discord (Direct Message):** jozelot_ (via the provided Discord link in the README)

### 2. Information to Include

To help us quickly understand and resolve the issue, please include the following information in your report:

* **Vulnerability Summary:** A brief description of the vulnerability (e.g., "Insecure permission check in /varo reload").
* **Affected Version(s):** Specify which version(s) of the VaroX plugin and Minecraft version(s) the vulnerability was found in (e.g., VaroX 1.8.8 on MC 1.12.2).
* **Steps to Reproduce (PoC):** A clear, step-by-step procedure to reproduce the issue.
* **Impact:** Describe the potential consequences of the vulnerability (e.g., "Allows non-admin players to execute server commands").
* **Proposed Fix (Optional):** If possible, include code snippets or recommendations on how to mitigate the issue.

### 3. Our Commitment (Response Timeline)

We are committed to responding to all legitimate security reports as quickly as possible.

| Stage | Expected Timeline |
| :--- | :--- |
| **Initial Acknowledgment** | Within 48 hours of receipt. |
| **Vulnerability Assessment** | Within 5 business days (to confirm the bug and determine severity). |
| **Fix and Release** | Depending on severity, we aim to release a patched version as soon as the fix is fully tested. |

Once the vulnerability has been patched and released, we will publicly acknowledge your contribution (unless you prefer to remain anonymous).

Thank you for helping to keep VaroX secure.

---

> This policy applies to the VaroX plugin source code and binary distributions.
>

There aren’t any published security advisories