apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/SECURITY.md
Eli Peter 1bbe4b1cfb
Phase 1 (#33) 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: add callgraph module and integrate into main analysis flow

* feat: enhance CLI with new severity filtering and analysis modes

* feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling

* feat: implement state-model dataflow analysis for resource lifecycle and auth state

* feat: enhance diagnostic output formatting and add evidence structure

* feat: implement attack surface ranking for diagnostics with scoring and sorting

* feat: add comprehensive documentation for installation, usage, and rules reference

* feat: add multiple language support for command execution and evaluation endpoints

* feat: implement inline suppression for findings using `nyx:ignore` comments

* feat: add confidence levels to AST patterns and update output structure

* feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets

* feat: bump version to 0.4.0 and update changelog with new features and improvements

* feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-02-25 21:16:36 -05:00

46 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Security Policy
## Supported Versions
| Version | Supported | Notes |
|---------|-----------|----------------------|
| 0.4.x | ✅ | Latest stable line |
| 0.3.x | ✅ | Critical fixes only |
| < 0.3 | | End-of-life |
We follow [Semantic Versioning] as soon as we hit **1.0.0**.
Before that, breaking changes may land in any minor release.
## Reporting a Vulnerability
* **Private disclosure first.**
Please **do not** open public GitHub issues for security bugs.
* **How to report**
1. To report a vulnerability, please use the GitHub disclosure in the security tab to alert us to a security issue.
* **What to include**
A minimal PoC or reproduction steps
Affected Nyx version (`nyx --version`) and OS
Impact explanation (e.g. RCE, DoS, data leak)
* **Response timeline**
We acknowledge within **3 business days** and give a status update every **7 days** thereafter until resolution.
## Disclosure Process
1. We confirm the issue and assign a CVE (via GitHub or MITRE).
2. A fix is developed on a private branch and back-ported if needed.
3. Coordinated release: new version on crates.io + public advisory.
4. Credit is given to the reporter unless they request anonymity.
## Scope & Severity
This policy covers vulnerabilities that let an **untrusted Nyx input** cause:
* Remote or local code execution in the Nyx process
* Privilege escalation, data exfiltration, or denial of service
**False positives / missed detections** in scan results are *quality issues*, not security issuesplease file normal GitHub issues for those.
[Semantic Versioning]: https://semver.org
Reference in a new issue View git blame Copy permalink