|Mod Vulnerability Guidelines
|Protocols followed when a security vulnerability is found in a modification.
If you discover a potential security vulnerability in a modification the following protocol should be followed:
- Do not post about the potential vulnerability in public.
- All potential security vulnerabilities reports should be done in PRIVATE. The prefered method to report a vulnerability is by using the Report Post feature (). Alternative is to notify a staff member in PM.
- When reporting a vulnerability, please include as many details as possible.
The following steps are taken when we are notified of a possible security vulnerability:
- A staff member will verify the report.
- The modification will be removed from the public to prevent more members installing a vulnerable modification.
- The author of the modification will be notified in PM.
- A private thread will be created where the author can discuss the vulnerability and solutions with staff.
- Once the vulnerability is fixed and verified, staff will restore the updated modification thread back into public view.
- If the author cannot be contacted to provide a solution, another coder may be aware of the issue and provide a fix . This fix will also be verified by staff.
- If no one else provides a solution, then in certain exceptional circumstances, a member of vB.org staff may provide a fix.
- Staff will send out an e-mail notification to members that have downloaded or marked the modification as installed, warning them of the issue.
- Staff will also send out an e-mail notification to the same members when the modification has been fixed and returned to the release forums.
All times are GMT. The time now is 11:30.