forked from Pryaxis/TShock
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add security policy to satisfy github
- Loading branch information
Showing
1 changed file
with
96 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| # Security Policy | ||
|
|
||
| TShock aims to improve Terraria's multiplayer security. Security issues | ||
| for us are a little different compared to other projects. | ||
|
|
||
| Our "most normal" response criteria for security reports involve TShock | ||
| itself. For security issues in TShock, TSAPI, or other Pryaxis | ||
| projects, all issues can be reported to us directly, and we'll issue | ||
| fixes as appropriate. Depending on the nature of the issue, we will | ||
| either issue an update and note the issue in the changelog, or | ||
| coordinate a case specific security response. | ||
|
|
||
| For example, in [GHSA-q776-cv3j-4q6m] | ||
| (https://github.com/Pryaxis/TShock/security/advisories/GHSA-q776-cv3j-4q6m), | ||
| we gave many server operators advanced warning about the issue, | ||
| provided server specific patch guidance, and announced the disclosure | ||
| in a predictable way. This is because the issue was primarily one | ||
| introduced by TShock. Since we attempted to fix a problem with Terraria | ||
| and left a gap, we considered it a higher priority to fix and disclose | ||
| than other issues we've had reported. | ||
|
|
||
| If you operate a server with a large player base, you can contact us for | ||
| advanced details about a security vulnerability when we're coordinating | ||
| the disclosure. The best way to learn about upcoming issues is to keep | ||
| an eye on the announcements category of discussions, and subscribe to | ||
| our Discord's announcements feed. | ||
|
|
||
| When issues are discovered in the Terraria protocol directly, we add | ||
| guards to TShock to prevent their abuse. Depending on the severity of | ||
| the issue, we may choose to release versions which account for protocol | ||
| defects differently. Because there are so many protocol defects, | ||
| running a TShock server (and by extension, a Terraria server) is | ||
| inherently risky. Therefore, we strongly advise updating to the latest | ||
| versions of TShock at all times. | ||
|
|
||
| Some types of issues may not be directly patched by TShock, after | ||
| reporting. For example, esoteric attack types may not be disclosed | ||
| because they're too difficult to protect against, represent a low risk, | ||
| or otherwise may adversely affect servers if disclosed. This is usually | ||
| the case with minor protocol defects in Terraria, where patching an | ||
| issue may start an "arm's race" or where the attack is theoretical, but | ||
| not occurring in practice, and poses minimal risk. | ||
|
|
||
| ## Supported Terraria protocol versions | ||
|
|
||
| TShock maintains protocol patches and associated protection services for | ||
| the the most recent versions of Terraria. We may remove protection | ||
| mechanisms or update them in response to protocol changes. | ||
|
|
||
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | 1.4.2.1 | :white_check_mark: | | ||
| | 1.4.0.5 | :x: | | ||
|
|
||
| It is important to remember that Terraria is a clientside game with | ||
| serverside networking "added on." If you're familiar with hosting | ||
| Minecraft or other primarily serverside games, please be aware that | ||
| integrity cannot be maintained with Terraria in the same way. The | ||
| network design has improved over the years, but is fundamentally | ||
| difficult to fully secure. Even in a fully patched, supported version | ||
| of TShock, protocol defects leading to client and server crashes, item | ||
| duplication, and denial of service still exist in some way or another. | ||
|
|
||
| When feasible, Pryaxis works with Re-Logic to address security issues. | ||
| However, due to the nature of these types of issues, we cannot always | ||
| disclose the status of certain issues which have been reported to | ||
| Re-Logic. | ||
|
|
||
| ## Supported TShock versions | ||
|
|
||
| Beginning with TShock 4.5, versions with odd numbers are | ||
| considered "unstable" for the purposes of operating a public server, | ||
| and may contain issues with the Terraria protocol in terms of patching, | ||
| danger, or other similar things. Versions which are considered "stable" | ||
| are even numbered releases, which offer typical security measures. | ||
|
|
||
| When running unstable versions of TShock, make regular backups of your | ||
| worlds, characters, configurations, and databases. This is because the | ||
| Terraria protocol may be dangerous in this version, and data loss may | ||
| occur. More commonly, attackers may perform denial of service attacks, | ||
| cheat items into the game, or perform other types of griefing on | ||
| servers. You stand a better chance to defend against these protocol | ||
| issues by using updated versions of TShock that are stable, not | ||
| unstable releases. | ||
|
|
||
| ## Bug bounties | ||
|
|
||
| Pryaxis may offer bug bounties for defects found in Terraria or TShock, | ||
| but this is evaluated on a case by case basis. Bounties should not be | ||
| expected, and are only awarded to those who do not ask for them. | ||
|
|
||
| ## Reporting issues | ||
|
|
||
| To report issues, join Discord and mention a staff member, or post that | ||
| you have critical information in the #tshock channel. You can also | ||
| contact hakusaro ([email protected]) directly. |