Minecraft Wiki:Responsible disclosure

Responsible disclosure refers to the practice of disclosing a security issue to the public only after the issue has been given sufficient time to be fixed or mitigated. The ultimate goal of the wiki participating in responsible disclosure is that players are aware of the vulnerabilities and can upgrade to a safe version before the details of the issue are widespread and thus leaving users vulnerable.

In practice, this means that details of vulnerability fixes (regardless of whether they are reported on Mojira) in development versions that affect the current stable release should not be disclosed. Only how many vulnerabilities are fixed and a description of their respective severity are allowed. The severity of vulnerabilities can be assessed via CVSS, a standardized method for evaluating the risk associated with security vulnerabilities.

The details of the vulnerability should not be disclosed until either:

• 7 days after the fix has entered a full release; or
• after a consensus that the issue is being actively exploited has been reached.

The issue can be disclosed sooner or later than the above date (no later than 30 days) upon request from Mojang or by consensus.

If official changelogs acknowledge that a vulnerability is fixed, a message box should be placed at the top of the Issue section of the snapshot and the upcoming release so that we can notify readers to upgrade and remind editors not to add detailed information.

For the purpose of this policy, vulnerability is defined as a flaw in the game that can be exploited to undermine the confidentiality, integrity, and/or availability of the system. The following are types of vulnerabilities and their meanings.

• A breach of confidentiality means something that is not supposed to be disclosed to a user is disclosed. Examples include accessing server logs illegally, exposing player coordinates, etc.
• A loss of integrity means that something that is not supposed to be modified by a user is modified. Examples include item duplication (see below), illegal block placements, acquiring permission arbitrarily, etc.
• A reduction of availability means something that is supposed to be accessible can no longer be accessed. Examples include denial-of-service attack that leads to crash and performance issues, etc.

The community considers item duplication and other issues that merely gives players an advantage in game a special case. Although these issues are considered a loss of integrity and a security issue by Mojang, their consequences are usually limited. Therefore, simple item duplication issues aren't considered to be vulnerabilities by default unless decided otherwise by consensus.

The wiki is not a collection of bug reports. If you identify a vulnerability, you can report it directly to Mojang through Mojira. Reporting promptly helps to ensure that security issues are addressed as quickly as possible.

• Responsible disclosure on Wikipedia