We actively support security updates for the following versions of Xonotic:
| Version | Supported |
|---|---|
| 0.8.5 | โ Yes |
| 0.8.x | โ Yes |
| 0.7.x | โ No |
| < 0.7 | โ No |
If you discover a security vulnerability in Xonotic, please report it responsibly:
- Email: security@xonotic.org
- Discord: Direct message to @Administrators
- Private: Do NOT create public issues for security vulnerabilities
Please include:
- Description: Clear explanation of the vulnerability
- Impact: How it affects players/servers
- Reproduction: Step-by-step instructions
- Environment: Game version, OS, server setup
- Evidence: Screenshots, logs, or video proof
| Stage | Timeline | Action |
|---|---|---|
| Initial Response | 24-48 hours | Acknowledge receipt |
| Investigation | 1-7 days | Analyze and verify |
| Fix Development | 1-14 days | Create and test patch |
| Release | 1-3 days | Deploy security update |
| Disclosure | After fix | Public security advisory |
- Server Exploits: Remote code execution, crashes
- Client Vulnerabilities: Code injection, file access
- Network Issues: DDoS amplification, packet manipulation
- Authentication Bypass: Server admin circumvention
- Data Leaks: Personal information exposure
- Cheating Infrastructure: Wallhacks, aimbots at engine level
- Gameplay Balance: Weapon strength, map design
- Standard Cheats: Typical FPS cheating (use anti-cheat)
- Social Engineering: Player impersonation
- Third-party Mods: Custom modifications
- Legacy Versions: Unsupported game versions
- Client-side Configs: Player preference exploits
- Update Regularly: Always run latest Xonotic version
- Monitor Logs: Watch for suspicious activity
- Limit Permissions: Restrict admin access
- Backup Data: Regular server data backups
- Network Security: Use firewalls and DDoS protection
- Official Downloads: Only download from xonotic.org
- Verify Checksums: Check file integrity
- Avoid Suspicious Servers: Don't join untrusted servers
- Report Cheaters: Use in-game reporting
- Update Game: Keep client updated
We recognize security researchers who help keep Xonotic safe:
- [Reporter Name] - Found critical RCE vulnerability
- [Researcher] - Discovered authentication bypass
- [Community Member] - Reported server crash exploit
Want to be listed? Report a valid security issue!
- Remote code execution
- Full system compromise
- Mass server takeover
- Privilege escalation
- Data extraction
- Service disruption
- Information disclosure
- Limited DoS attacks
- Authentication issues
- Minor information leaks
- Edge case crashes
- Configuration issues
- Log Analyzer: Monitor server security
- Traffic Inspector: Network packet analysis
- Integrity Checker: Verify game files
For critical security issues requiring immediate attention:
- Discord: @SecurityTeam (mention in #emergency)
- Email: urgent-security@xonotic.org
- IRC: #xonotic-security on QuakeNet
Thanks to the gaming security community for keeping Xonotic safe and the competitive FPS scene secure.
Security is everyone's responsibility in competitive gaming! ๐ฎ๐