The CFX team takes the security of our software products and services seriously, which includes not only the products built from this repository (FiveM, RedM, FXServer), but also, our online services.

Please do not report security vulnerabilities through public GitHub issues or pull requests.

Public reports will be deleted at a first instance, and subsequent reports through public issues may result in reporters getting banned from our GitHub organization. Reporting security issues publicly is not considered responsible disclosure, and increases risk for our community and its players.

Instead, please report them responsibly to either:

• CFX Support Platform, "Report a vulnerability or exploit"
• E-mail

Someone from the CFX team will review and respond within 24 hours, if not - please follow up via the chosen communication method.

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

• Type of issue (e.g. buffer overflow, cross-site scripting, RCE, etc.)
• Product/service affected (FiveM, RedM, FXServer, etc.)
• Version/update channel of the product (if known)
• The location of the affected source code (tag/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue