CurseForge Blog

Our Mod Approval Process

In this blog, we’ll walk you through a semi-detailed overview of the mod approval process. Our primary aim is to ensure the safety of our…

Our Mod Approval Process

In this blog, we’ll walk you through a semi-detailed overview of the mod approval process. Our primary aim is to ensure the safety of our users and maintain a secure environment while also being as transparent as possible with our awesome community. Although relevant for many games on CurseForge, we will focus on Minecraft for the sake of this overview.

History

Ever since the Fracturizer incident, we’ve been working pretty hard to improve our malware detection tools, and we’ve made some significant progress and we’d like to share that with you.

The Process

For every single Minecraft mod file submitted to CurseForge, it undergoes the following automated process:

Step 1: Sorta Readable Java Code

The first step in our process involves decompiling the submitted jar files. Decompiling converts the compiled Java archives back into a sorta readable Java code, this is essential for further analysis of the file.

Step 2: Hash Calculations and Caching

Once the file becomes sorta readable, we calculate hashes for all classes within the jar files. Hashes are a unique fingerprint for the content
of the file. And these hashes help us find previously processed or known malicious files, which are automatically rejected.

Step 3: Wooden Tools

Now that we know only new files are being processed, we run them through several static analysis tools, these are not very smart but they do know how to spot a bunch of common issues and potential security risks.

Step 4: Netherite Tools

For classes that raise suspicions during the static analysis, we employ more advanced tools to perform a deeper analysis, without going into too much detail, these tools run the decompiled code through a series of tests to determine if it’s malicious or not.

Step 5: Final Determination

Based on the analysis, mods are either outright rejected if they pose a significant risk, or they are escalated for manual review.
Manual Review has been a somewhat disliked staple of the CurseForge mod approval process. But it’s important and we’re constantly working on making it more efficient.

Tackling False Positives

One of the issues this new process caused is that the number of false positives has increased, this happens because our tools are not perfect and we’re continuously working on improving these to reduce the number of false positives.

To Conclude

Safety is an important aspect of any modding community, and while no process is bullet-proof, this has significantly improved the security and safety of the CurseForge platform.
We’re always working on improving the process and making it better.