apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/SECURITY.md
Eli Peter 1bbe4b1cfb
Phase 1 (#33) 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: add callgraph module and integrate into main analysis flow

* feat: enhance CLI with new severity filtering and analysis modes

* feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling

* feat: implement state-model dataflow analysis for resource lifecycle and auth state

* feat: enhance diagnostic output formatting and add evidence structure

* feat: implement attack surface ranking for diagnostics with scoring and sorting

* feat: add comprehensive documentation for installation, usage, and rules reference

* feat: add multiple language support for command execution and evaluation endpoints

* feat: implement inline suppression for findings using `nyx:ignore` comments

* feat: add confidence levels to AST patterns and update output structure

* feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets

* feat: bump version to 0.4.0 and update changelog with new features and improvements

* feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-02-25 21:16:36 -05:00

1.7 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

Version Supported Notes
0.4.x Latest stable line
0.3.x Critical fixes only
< 0.3 End-of-life

We follow Semantic Versioning as soon as we hit 1.0.0.
Before that, breaking changes may land in any minor release.

Reporting a Vulnerability

  • Private disclosure first.
    Please do not open public GitHub issues for security bugs.

  • How to report

    1. To report a vulnerability, please use the GitHub disclosure in the security tab to alert us to a security issue.

  • What to include
    A minimal PoC or reproduction steps
    Affected Nyx version (nyx --version) and OS
    Impact explanation (e.g. RCE, DoS, data leak)

  • Response timeline
    We acknowledge within 3 business days and give a status update every 7 days thereafter until resolution.

Disclosure Process

  1. We confirm the issue and assign a CVE (via GitHub or MITRE).
  2. A fix is developed on a private branch and back-ported if needed.
  3. Coordinated release: new version on crates.io + public advisory.
  4. Credit is given to the reporter unless they request anonymity.

Scope & Severity

This policy covers vulnerabilities that let an untrusted Nyx input cause:

  • Remote or local code execution in the Nyx process
  • Privilege escalation, data exfiltration, or denial of service

False positives / missed detections in scan results are quality issues, not security issues—please file normal GitHub issues for those.