apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/SECURITY.md
Eli Peter 19b578c5c4
Feat/configurable sanitizers and js precision (#32) 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: Add configurable analysis rules and CLI commands for custom sanitizers and terminators

* feat: Enhance resource management and analysis efficiency

- Implemented parallel summary merging in `scan_filesystem` using rayon for improved performance.
- Introduced `GlobalSummaries::merge()` for efficient merging of summaries.
- Optimized file reading and hashing to eliminate redundant I/O operations.
- Added `should_scan_with_hash()` and `upsert_file_with_hash()` methods to streamline file processing.
- Enhanced taint analysis with in-place mutations to reduce memory allocations.
- Updated resource acquisition patterns to exclude false positives for `freopen` and wrapper functions.

* feat: Implement severity downgrade for findings in non-production paths and add source kind inference

* feat: Update versioning information in SECURITY.md for new stable line

* feat: Update categories in Cargo.toml to include parser-implementations and text-processing

* feat: Update dependencies in Cargo.lock for improved compatibility and performance

* feat: Update dependencies in Cargo.lock and Cargo.toml for improved compatibility
2026-02-25 04:02:11 -05:00

1.7 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

Version Supported Notes
0.3.x Latest stable line
0.2.x Critical fixes only
< 0.2 End-of-life

We follow Semantic Versioning as soon as we hit 1.0.0.
Before that, breaking changes may land in any minor release.

Reporting a Vulnerability

  • Private disclosure first.
    Please do not open public GitHub issues for security bugs.

  • How to report

    1. To report a vulnerability, please use the GitHub disclosure in the security tab to alert us to a security issue.

  • What to include
    A minimal PoC or reproduction steps
    Affected Nyx version (nyx --version) and OS
    Impact explanation (e.g. RCE, DoS, data leak)

  • Response timeline
    We acknowledge within 3 business days and give a status update every 7 days thereafter until resolution.

Disclosure Process

  1. We confirm the issue and assign a CVE (via GitHub or MITRE).
  2. A fix is developed on a private branch and back-ported if needed.
  3. Coordinated release: new version on crates.io + public advisory.
  4. Credit is given to the reporter unless they request anonymity.

Scope & Severity

This policy covers vulnerabilities that let an untrusted Nyx input cause:

  • Remote or local code execution in the Nyx process
  • Privilege escalation, data exfiltration, or denial of service

False positives / missed detections in scan results are quality issues, not security issues—please file normal GitHub issues for those.