Security fixes are typically applied to the latest maintained version of SphereServer, which is currently Nightly build from master branch.
If you are running an older version, please upgrade before reporting issues.
If you discover a security vulnerability in SphereServer, please report it responsibly.
Do not create a public GitHub issue for security vulnerabilities.
Instead:
- Contact the maintainers privately.
- Provide a detailed description of the vulnerability.
- Include reproduction steps if possible.
Your report should include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Affected versions
- Suggested fix (if available)
We ask security researchers to follow responsible disclosure practices:
- Allow maintainers reasonable time to investigate and fix the issue
- Do not publicly disclose the vulnerability before a fix is available
- Avoid exploiting the vulnerability beyond proof-of-concept
Security patches will be released as soon as reasonably possible after confirmation of the issue.
When a vulnerability is fixed:
- A patch will be committed
- Release notes may mention the fix
- Credit may be given to the reporter (if desired)
This policy applies to the SphereServer codebase, including:
- Core server code
- Network handling
- Script engine
- Authentication and account management
- Build system and dependencies