We provide security updates for the following versions:
| Version | Support Status | End of Support |
|---|---|---|
| 1.0.x | π Planned LTS | TBD (1 year) |
| 0.5.x | β Active Support | February 2026 |
| 0.4.x | β End of Life | - |
| 0.3.x | β End of Life | - |
| 0.2.x | β End of Life | - |
| 0.1.x | β End of Life | - |
If you are using an older version, we strongly recommend upgrading to the latest stable release.
This project uses multiple automated security tools:
- GitHub CodeQL - Static Application Security Testing (SAST)
- OWASP Dependency-Check - Known vulnerability detection in dependencies
- GitHub Dependency Review - Pull request dependency analysis
- Dependabot - Automated dependency updates
All scans are executed automatically in CI pipelines on every pull request and release build.
All official release artifacts of Aether Datafixers are cryptographically signed to guarantee integrity and authenticity.
- All release artifacts are GPG signed
- Signatures are generated during the release pipeline
- Each published artifact is accompanied by a corresponding
.ascsignature file - Consumers can verify artifacts before usage
Example verification flow:
gpg --verify artifact.jar.asc artifact.jar
Unsigned or modified artifacts must not be trusted.
- A dedicated GPG key is used for automated GitHub releases and deployments
- Release signing keys are separate from personal developer keys
- Private key material is never committed to the repository
- Keys are stored securely using CI secret management
The signing process is fully automated and enforced during release builds.
If you discover a security vulnerability in Aether Datafixers, please report it privately.
- Email:
security@splatgames.de - GitHub Security Advisories:
https://github.com/aether-framework/aether-datafixers/security/advisories/new - GitHub Issues:
Do not report security vulnerabilities in public issues.
- Report the issue privately
- Acknowledgment within 48 hours
- Fix timeline provided within 7 days
- Critical vulnerabilities (CVSS β₯ 9.0): patch within 72 hours
- High severity (CVSS β₯ 7.0): patch within 14 days
- Security advisory published after resolution
| Severity | Acknowledgment | Fix Timeline |
|---|---|---|
| Critical (CVSS 9.0-10.0) | 24 hours | 72 hours |
| High (CVSS 7.0-8.9) | 48 hours | 14 days |
| Medium (CVSS 4.0-6.9) | 48 hours | 30 days |
| Low (CVSS 0.1-3.9) | 72 hours | Next release |
- Always use the latest stable version
- Verify GPG signatures of all downloaded artifacts
- Enable automated dependency updates
- Validate input data at system boundaries
- Use appropriate
DynamicOpsimplementations for untrusted data - Avoid sensitive data in logs
- Review the attached SBOM for dependency transparency
We follow a coordinated disclosure process:
- Private disclosure
- Fix development
- Advisory preparation
- Coordinated release
- Public disclosure after a grace period
Security audits are welcome.
- Contact
security@splatgames.debefore starting - Follow responsible disclosure practices
- Researchers may be credited with permission
For encrypted communication and release verification:
- Key Purpose: Release artifact signing
- Key ID: 37B59B93DC756EE8
- Fingerprint: C6BE25BF2A4639A67A491EBD37B59B93DC756EE8
- Accessable in repository:
KEYS
Contact: security@splatgames.de
Thank you for helping keep Aether Datafixers secure.