The MasterCombat team takes security vulnerabilities seriously. Thank you for helping us maintain the security of our project.

If you believe you have found a security vulnerability in MasterCombat, please follow these steps:

1. Do Not disclose the vulnerability publicly

2. Do Not create a public GitHub issue

3. Instead, please report it through one of these secure channels:

   • Direct Message to opmasterleo on Discord
   • Email to our security team (address to be provided)
   • Private security advisory through GitHub's Security Advisory feature

Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Server platform and version (e.g., Paper 1.20.2)
• MasterCombat plugin version
• Any relevant configuration files (with sensitive data removed)
• Proof of concept or exploit code (if available)

After you report a vulnerability:

1. You'll receive an acknowledgment within 48 hours
2. We'll investigate and provide regular updates
3. Once fixed, we'll notify you and provide credits (if desired)
4. The fix will be released as a security update

When using MasterCombat in production:

1. Always keep the plugin updated to the latest version
2. Review configuration files regularly
3. Use permission systems properly
4. Monitor plugin logs for suspicious activity
5. Backup your configuration files regularly

Security advisories for past vulnerabilities can be found in our Security Advisories page.

Coming soon: GPG key for secure communication.

We'd like to thank the following individuals who have helped improve MasterCombat's security:

(This section will be updated as contributors help identify and fix security issues)

Our security policy is part of the project covered under the Apache License 2.0.