Security Policy

If you believe you’ve found a flaw or flaws in a service run by Libera Chat such that the service cannot be considered secure, you are encouraged to submit a report. Please read the following in full before doing so.

Defining Security

Within this section,

Libera Chat services are considered secure only if no user can do any of the following:

General

Accounts

IRC

A Warning About LLMs

We understand that there are assistive technologies that researchers may wish to use to help find vulnerabilities in codebases. Unfortunately, as we are a fully volunteer team, we do not have the resources to cope with the significant drain on open-source maintainers’ time and energy that is caused by LLM hallucinations.

We expect that all reports of security issues that are sent to us have been tested, reproduced, and verified as true by the human responsible for submitting the report. If you cannot demonstrate that you have replicated the behaviour that is described in the report, please do not submit it.

If an LLM is used to assist in communication, you must provide the exact prompt that generated the output that you have sent to us, and details about which model was used.

Submitting security reports that do not meet the above criteria is considered spam and is grounds for being blocked from Libera Chat’s ticket, bug, and/or pull request trackers.

Contact Info

For suspected software misconfigurations leading to vulnerabilities, security bugs in one of Libera Chat’s own projects, or if you are a maintainer of software used by Libera Chat looking to inform us about a vulnerability in your software, please email security@libera.chat. The subject line must start with the string SECURITY <name> - where <name> is the name of the software component in question.

Libera Chat relies on various open-source projects which may have their own security policies and disclosure processes. If you believe you have discovered a security issue in one of the projects listed below, please follow their instructions for reporting security issues:

Clients

Libera Chat is not responsible for any security vulnerabilities in IRC clients aside from the webchat instances under the subdomain web.libera.chat.

However, if you are a maintainer of a widely-used IRC client and your client has a remote code execution vulnerability that we can help mitigate, consider contacting us. We can also provide public service announcements via our news page, wallops, and social media. If you contact us via our security email for this purpose, the subject line must start with the string CLIENT <name> - where <name> is the name of the client in question.