English | 简体中文
We release security updates for the following versions of Minecraft Launcher:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
Note: This project is currently in active development. We recommend always using the latest version from the main branch to ensure you have the most recent security patches.
We take the security of Minecraft Launcher seriously. If you discover a security vulnerability, please help us protect our users by reporting it responsibly.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by:
-
Opening a private security advisory on GitHub:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Fill in the details of the vulnerability
-
Contacting the maintainers directly through:
- Opening a private issue (if available)
- Contacting via the contact information provided in the project
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Impact: The potential impact and severity of the issue
- Steps to Reproduce: Detailed steps to reproduce the vulnerability
- Proof of Concept: If possible, include a proof of concept or exploit code
- Affected Versions: Which versions of the launcher are affected
- Suggested Fix: If you have suggestions for fixing the issue
- Initial Response: We aim to acknowledge receipt of your vulnerability report within 48 hours
- Status Updates: We will provide regular updates on the progress of addressing the vulnerability
- Resolution: We will work to resolve critical vulnerabilities as quickly as possible, typically within 7-14 days for critical issues
- We follow a coordinated disclosure approach
- We request that you do not publicly disclose the vulnerability until we have released a fix
- Once a fix is released, we will credit you (if desired) in the security advisory and release notes
- We aim to release security fixes within 90 days of the initial report
This launcher supports Microsoft account authentication for Minecraft. Please note:
- Never share your account credentials with anyone
- Use strong, unique passwords for your Microsoft account
- Enable two-factor authentication on your Microsoft account
- The launcher never stores your password - only authentication tokens
- Authentication tokens are stored securely in the macOS Keychain
The launcher downloads game files from official Mojang/Microsoft servers:
- All downloads are verified using SHA1 checksums
- Files are downloaded over HTTPS connections
- The launcher verifies file integrity before installation
- Only official Mojang/Microsoft servers are used for game downloads
If you use proxy settings:
- Be cautious when using third-party proxies
- Only use proxies from trusted sources
- Proxy credentials (if any) are stored securely
- SOCKS5 proxies provide better security than HTTP proxies
The launcher operates within standard Minecraft directories:
- Default location:
~/.minecraft/ - The launcher only accesses files within this directory and its subdirectories
- No system files are modified outside the Minecraft directory
- All file operations are logged for transparency
- All connections to Mojang/Microsoft servers use HTTPS
- Certificate validation is enforced
- The launcher does not make connections to unauthorized third-party servers
- Network requests are logged for debugging purposes
This project is in active development. Please be aware of the following:
- Beta Software: This launcher is not yet production-ready
- Limited Testing: Security testing is ongoing
- Rapid Changes: The codebase is evolving quickly
- Proprietary UI Library: Some components use a closed-source UI library
- Use at your own risk during the development phase
- Keep backups of your Minecraft data
- Monitor the repository for security updates
- Report any suspicious behavior immediately
- Keep the launcher updated to the latest version
- Download only from official sources (GitHub releases)
- Verify the integrity of downloaded releases
- Review permissions requested by the launcher
- Use a dedicated Minecraft directory if concerned about file access
- Never enter credentials in unofficial launchers or websites
- Use Microsoft's official authentication flow
- Log out when not using the launcher
- Revoke access if you suspect unauthorized use
- Keep macOS updated to the latest version
- Use macOS security features (Gatekeeper, XProtect)
- Run antivirus software if desired
- Monitor system logs for unusual activity
- � HTTPS-only connections for all network requests
- � SHA1 checksum verification for all downloads
- � Secure token storage using macOS Keychain
- � Input validation for user-provided data
- � Comprehensive logging for audit trails
- � Proxy support with secure configuration
- � No password storage - token-based authentication only
- =� Code signing for macOS releases
- =� Notarization for macOS distribution
- =� Sandboxing for enhanced isolation
- =� Automatic updates with signature verification
- =� Enhanced logging with security event monitoring
- =� Penetration testing before stable release
This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). All security fixes and improvements must be shared under the same license.
- The launcher does not collect or transmit personal data
- Authentication is handled directly by Microsoft
- No analytics or telemetry are collected
- All data remains on your local machine
We regularly review and update dependencies to address known vulnerabilities:
- Swift Package Manager dependencies are monitored
- Security advisories are reviewed promptly
- Updates are applied as soon as possible
We would like to thank the following individuals for responsibly disclosing security vulnerabilities:
No security reports have been received yet.
For security-related inquiries that are not vulnerabilities, you can:
- Open a regular GitHub issue
- Contact the maintainers through the repository
For security vulnerabilities, please follow the reporting process outlined above.
Thank you for helping keep Minecraft Launcher and our users safe!