Devforum+ likely has a small chance of being impacted by security vulnerabilities, however since the plugin can read and edit the devforum.roblox.com domain for our users (which can contain INTERNAL or PROPRIETARY information) we take security very seriously.
If you believe that Devforum+ may be impacted by a security vulnerability, immediately report it, even if you don't have a proof of concept. Do not attempt to push or pull fixes for security vulnerabilities without an OK from us; this is to protect our users.
Questions about the security of Devforum+ can be posted on discussions.
Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Send an email to security+dfp@elliottmozley.com
We'll aim to send an acknowledgement within 12-24 hours, and hope to get the issue fixed within 24-72 hours depending on the severity.
Due to the nature of the project, we can only disclose a security vulnerability 30 days after the fix has been released; this is to ensure that our users are up to date and that a bad actor couldn't misuse the vulnerability during the update rollout.
Depending on the severity of the issue and the quality of your report, you may be elegible for a reward. We'll discuss all security vulnerabilities after the fix has been deployed and if we believe you deserve a reward for your hard work, we'll be in touch.