Please do not open a public GitHub issue for security vulnerabilities.

Report security issues by using GitHub's private vulnerability reporting on this repository.

Include:

• A description of the vulnerability and its impact
• Steps to reproduce (proof-of-concept if possible)
• Affected versions/commits

We will acknowledge your report within 72 hours and aim to release a fix within 7 days for critical issues.

This project is a server-side implementation. Relevant vulnerability classes:

• Remote code execution via malformed packets
• Authentication bypass (online-mode circumvention)
• Denial of service via packet flooding or malformed chunk/NBT data
• Path traversal in world file loading
• Server property or secret exposure via RCON/JSON-RPC

Out of scope: client-side rendering bugs, vanilla client exploits.