Our security policy is to avoid leaving the ecosystem worse than we found it. Meaning we are not planning to introduce vulnerabilities into the ecosystem.
The nidhogg mainter takes all security bugs in nidhogg seriously. Thank you for improving the security of nidhogg. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.
Report security bugs by emailing the lead maintainer at [email protected] and include the word "SECURITY" in the subject line..
The lead maintainer will acknowledge your email within a week, and will send a more detailed response 48 hours after that indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
- nidhogg will confirm the problem and determine the affected versions.
- nidhogg will audit code to find any potential similar problems.
- nidhogg will prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible.
Report security bugs in third-party modules to the person or team maintaining the module.
- SECURITY DISCLOSURE:
Your responsibility is to report vulnerabilities to us using the guidelines outlined below.
Discuss how someone should disclose a vulnerability to nidhogg, in tl;dr ( or ELI5 ) language. Then expand on this with "How To Disclose a vulnerability in detail". Please give detailed steps on how to disclose the vulnerability. Keep these OWASP guidelines in mind ( https://www.owasp.org/index.php/Vulnerability_Disclosure_Cheat_Sheet ) when creating your disclosure policy. Below are some recommendations for security disclosures:
- nidhogg security contact { contact: mailto:[email protected] }
- Disclosure format: When disclosing vulnerabilities please
- Your name and affiliation (if any).
- include scope of vulnerability. Let us know who could use this exploit.
- document steps to identify the vulnerability. It is important that we can reproduce your findings.
- how to exploit vulnerability, give us an attack scenario.
Encryption key for [email protected]
For critical flaws and sensitive security information you may encrypt your transmission with key below.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBF0L3vUBCADmnyhsSxiFuEhBvJlct9AqpSevu49snPPQcPucQTz9jDe7Mo63
/o/KeUl+8hfxWkT3WZWd4fW7eOaxuHh90kDl6joGPvv6Y+jnqQTjsDrwEkgVDyoF
PZ/xd7/uoNLDxd9YNaTkMeYn/eyTiibLbsi4MTrBMAG1po1Vy7wYuqbEbAUbt6qr
QnLmZ7GqSyTmFIR36LZTvXB3JLQMWg116d+YoXL4s6KMP9iX3gsMixq+xEEeaANA
cIWuYYolW+RsWekZdQc8t7QK8Ft37kG7f2/IwW09BNkqGvfDuatHCTxOhcLTauFR
9MpMPao2xM2QUqTO2U7oJ6SbedjMRbCGo8WtABEBAAG0KUl2ZXMgU2NobmVpZGVy
IDxpdmVzLnNjaG5laWRlckBpLTQwMS54eXo+iQFUBBMBCAA+FiEE5hhIkvrBHS+p
TbZXLc19pTj1k2IFAl0L3vUCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQLc19pTj1k2KdhwgAtseWktKisSlZtM5WQbfliJKkPpg31lboK3v8+TN7
YpbtWX7SZXzPsKAbSktkbtqqy0eOqZe2WPyFzM1m00RqMCJCbFwUIowB/hDAWuXv
1HrqdG87jcViiFQU7ekGwGiXoCzEaChHA72b7WZ+CKX+HBItcDI3Oiq1uQliLjoM
3c7suYLnd+6xhEg51tJH2BJ+/TXGdCL8KUu3hMkSNAyrC4l8mYNbLw/fbfAU8ZN1
5YyPJkw4tJwUojh07JzCFx3cD7b43jcy8OdiFHj+yLuYhzFQWoQi4gDeDhQdA4xB
7fn4QTNMyIVG+u4ikKJghkWOOE//lbR5RS86AlByu3+jT7kBDQRdC971AQgAzq1b
3Eam0pUKa+GbTYigOU/Obyv3KXXG2z1NxM92+BwXJpHaSD+lvYMnYyaG/KVfHfwI
82JBOA829hTBTDiGhZgdZrZNhX7JZBzgLg5PZm9mMNV0az3xGZo+iEy7XeE8j0wM
80ThqE3mUdl0ZeEoQqddOO+TmNL4QWz78ZAU9BWfeS7GrYeNcU9wFNoUK59SpA/G
doVbH2bLibzzLpi9FtjCkutARm27sD34qr9eO79oA0V5anf5vl4vg2x1RWI367dF
x7wP8qFXCjwKOT69zQ9WqPdXL3xOKjVe+uJlKID4feCCtNOHlvSUaaemp56U6UqM
19fUiwDwlVUJwkf9bwARAQABiQE8BBgBCAAmFiEE5hhIkvrBHS+pTbZXLc19pTj1
k2IFAl0L3vUCGwwFCQHhM4AACgkQLc19pTj1k2KN4wf9GrweLOdbbHxiUTDj/wSM
Hqh8U966eq4WftzvgwWxqS57h0AApgKpX+9x1zAGNn4RePcpPYslikS44elY2+RK
wcaUcfp/MfSTxFpsWrp7m+bs7i13wux41ZEG6U1nUQSJaIvJZ7VqIRLFmwmmk359
+ZcVXDcfQClxhbgSEjsTGgsC2CqKLh+BjLwrs5In+nFDPSo2H2TKhdQj6lWt3W+r
qu60OB6elLwtJmvSKUXmUhpUyAVoeGL25HUSkfwt3cNoMUcPEWV+OxcpYnvwzAtI
RdfUcCYhiosYpycIcL5o+DarVohq1Jh8Psw1UmCT39Df/bhc8NkQdjS1ETE4yvHe
Mg==
=F4tj
-----END PGP PUBLIC KEY BLOCK-----