apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/SECURITY.md
Eli Peter 19b578c5c4
Feat/configurable sanitizers and js precision (#32) 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: Add configurable analysis rules and CLI commands for custom sanitizers and terminators

* feat: Enhance resource management and analysis efficiency

- Implemented parallel summary merging in `scan_filesystem` using rayon for improved performance.
- Introduced `GlobalSummaries::merge()` for efficient merging of summaries.
- Optimized file reading and hashing to eliminate redundant I/O operations.
- Added `should_scan_with_hash()` and `upsert_file_with_hash()` methods to streamline file processing.
- Enhanced taint analysis with in-place mutations to reduce memory allocations.
- Updated resource acquisition patterns to exclude false positives for `freopen` and wrapper functions.

* feat: Implement severity downgrade for findings in non-production paths and add source kind inference

* feat: Update versioning information in SECURITY.md for new stable line

* feat: Update categories in Cargo.toml to include parser-implementations and text-processing

* feat: Update dependencies in Cargo.lock for improved compatibility and performance

* feat: Update dependencies in Cargo.lock and Cargo.toml for improved compatibility
2026-02-25 04:02:11 -05:00

46 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Security Policy
## Supported Versions
| Version | Supported | Notes |
|---------|-----------|----------------------|
| 0.3.x | ✅ | Latest stable line |
| 0.2.x | ✅ | Critical fixes only |
| < 0.2 | | End-of-life |
We follow [Semantic Versioning] as soon as we hit **1.0.0**.
Before that, breaking changes may land in any minor release.
## Reporting a Vulnerability
* **Private disclosure first.**
Please **do not** open public GitHub issues for security bugs.
* **How to report**
1. To report a vulnerability, please use the GitHub disclosure in the security tab to alert us to a security issue.
* **What to include**
A minimal PoC or reproduction steps
Affected Nyx version (`nyx --version`) and OS
Impact explanation (e.g. RCE, DoS, data leak)
* **Response timeline**
We acknowledge within **3 business days** and give a status update every **7 days** thereafter until resolution.
## Disclosure Process
1. We confirm the issue and assign a CVE (via GitHub or MITRE).
2. A fix is developed on a private branch and back-ported if needed.
3. Coordinated release: new version on crates.io + public advisory.
4. Credit is given to the reporter unless they request anonymity.
## Scope & Severity
This policy covers vulnerabilities that let an **untrusted Nyx input** cause:
* Remote or local code execution in the Nyx process
* Privilege escalation, data exfiltration, or denial of service
**False positives / missed detections** in scan results are *quality issues*, not security issuesplease file normal GitHub issues for those.
[Semantic Versioning]: https://semver.org
Reference in a new issue View git blame Copy permalink