mirror of
https://github.com/getnora-io/nora.git
synced 2026-04-12 16:10:31 +00:00
DevITWay | Pavel Volkov
432e8d35af
* docs: add DCO, governance model, roles, vulnerability credit policy * security: migrate token hashing from SHA256 to Argon2id - Replace unsalted SHA256 with Argon2id (salted) for API token hashing - Fix TOCTOU race: replace exists()+read() with read()+match on error - Set chmod 600 on token files and 700 on token storage directory - Auto-migrate legacy SHA256 tokens to Argon2id on first verification - Add regression tests: argon2 format, legacy migration, file permissions
56 lines
1.6 KiB
Markdown
56 lines
1.6 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| 0.2.x | :white_check_mark: |
|
|
| < 0.2 | :x: |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Please do not report security vulnerabilities through public GitHub issues.**
|
|
|
|
Instead, please report them via:
|
|
|
|
1. **Email:** devitway@gmail.com
|
|
2. **Telegram:** [@DevITWay](https://t.me/DevITWay) (private message)
|
|
|
|
### What to Include
|
|
|
|
- Type of vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Suggested fix (if any)
|
|
|
|
### Response Timeline
|
|
|
|
- **Initial response:** within 48 hours
|
|
- **Status update:** within 7 days
|
|
- **Fix timeline:** depends on severity
|
|
|
|
### Severity Levels
|
|
|
|
| Severity | Description | Response |
|
|
|----------|-------------|----------|
|
|
| Critical | Remote code execution, auth bypass | Immediate fix |
|
|
| High | Data exposure, privilege escalation | Fix within 7 days |
|
|
| Medium | Limited impact vulnerabilities | Fix in next release |
|
|
| Low | Minor issues | Scheduled fix |
|
|
|
|
## Security Best Practices
|
|
|
|
When deploying NORA:
|
|
|
|
1. **Enable authentication** - Set `NORA_AUTH_ENABLED=true`
|
|
2. **Use HTTPS** - Put NORA behind a reverse proxy with TLS
|
|
3. **Limit network access** - Use firewall rules
|
|
4. **Regular updates** - Keep NORA updated to latest version
|
|
5. **Secure credentials** - Use strong passwords, rotate tokens
|
|
|
|
## Acknowledgments
|
|
|
|
We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities in our release notes and CHANGELOG, unless the reporter requests anonymity.
|
|
|
|
If you have previously reported a vulnerability and would like to be credited, please let us know.
|