Only the latest stable release receives security fixes.
Older versions are not patched - upgrade to the latest release.
| Version | Supported |
|---|---|
| 1.x.x (latest) | ✅ |
| < 1.0.0 | ❌ |
Do not open a public GitHub issue for security vulnerabilities.
Report privately via one of these channels:
- GitHub Private Advisory - Security Advisories (preferred)
- Email - nolly@thenolle.com
A useful report has:
- A clear description of the vulnerability
- The affected version(s)
- Steps to reproduce - minimal code snippet if applicable
- The potential impact (data exposure, crash, bypass, etc.)
- A suggested fix if you have one
| Stage | Target |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial assessment | Within 5 days |
| Fix released | Depends on severity (see below) |
| Severity | Fix Target |
|---|---|
| Critical | 3 days |
| High | 7 days |
| Medium | 14 days |
| Low | Next release cycle |
This policy covers the com.nolly:pl3x-api library itself.
In scope:
- Logic bugs that could cause silent data corruption or incorrect state in the registry
- Unsafe reflection usage in
Pl3xBootstraporPl3xEventBridgethat could be exploited - Dependency vulnerabilities in shaded artifacts
Out of scope:
- Vulnerabilities in Pl3xMap itself - report those to the Pl3xMap project
- Vulnerabilities in Spigot/Paper - report those to their respective projects
- Issues in your own plugin code that uses this library
- Minecraft server exploits unrelated to this library
This project follows coordinated disclosure:
- You report privately
- We confirm and assess
- We develop and test a fix
- We release the fix and publish a GitHub Security Advisory
- You are credited in the advisory unless you request otherwise
Public disclosure before a fix is available will be treated as a breach of this policy.
Responsibly disclosed vulnerabilities will be credited in the release notes and security advisory by default.
If you prefer to remain anonymous, state that in your report.