You’re viewing Modrinth’s staging environment.
The staging environment is running on a copy of the production Modrinth database. This is used for testing and debugging purposes, and may be running in-development versions of the Modrinth backend or frontend newer than the production instance.

Security Notice

This is the security notice for all Modrinth repositories. The notice explains how vulnerabilities should be reported.

Reporting a Vulnerability

If you've found a vulnerability, we would like to know so we can fix it before it is released publicly. Do not open a GitHub issue for a found vulnerability.

Send details to including:

  • the website, page or repository where the vulnerability can be observed
  • a brief description of the vulnerability
  • optionally the type of vulnerability and any related OWASP category
  • non-destructive exploitation details

We will do our best to reply as fast as possible.


The following vulnerabilities are not in scope:

  • volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
  • reports indicating that our services do not fully align with "best practice", for example missing security headers

If you aren't sure, you can still reach out via email or direct message.

This notice is inspired by the Python Discord Security Notice.

Version 2022-11