# Security Policy ## Supported Versions Mirror & Mirror LTS are both supported for security fixes. ## Reporting a Vulnerability Please email security [at] mirror-networking.com to report a vulnerability.
You can also contact us in [our Discord](https://discord.gg/N9QVxbM) for faster replies. You can expect a reply within 24-48 hours.
We will keep you updated on our steps to mitigate issues every 2-4 weeks. ## Timelines - Critical vulnerabilities can be expected to be patched within 1-2 weeks. - Medium risk vulnerabilities can be expected to be patched within 2-3 weeks. - Low risk vulnerabilities will be patched within 3-4 weeks. ## Bug Bounty Depending on the severity of the exploit, we offer a $50 - $500 bug bounty. **Specifically we are looking for:** * Ways to crash a Mirror server. * Ways to exploit a Mirror server. * Ways to leave a Mirror server in undefined state. We are **not** looking for DOS/DDOS attacks, as those are expected to be handled by the hosting infrastructure. ## Notifications In case of security breaches, Mirror users will be informed in our [Discord server](https://discord.gg/N9QVxbM) and release changelogs. Since we collect no user data, you are recommended to read the changelog and follow our Discord announcements.