mirror of
https://github.com/getnora-io/nora.git
synced 2026-04-12 13:50:31 +00:00
DevITWay | Pavel Volkov
432e8d35af
* docs: add DCO, governance model, roles, vulnerability credit policy * security: migrate token hashing from SHA256 to Argon2id - Replace unsalted SHA256 with Argon2id (salted) for API token hashing - Fix TOCTOU race: replace exists()+read() with read()+match on error - Set chmod 600 on token files and 700 on token storage directory - Auto-migrate legacy SHA256 tokens to Argon2id on first verification - Add regression tests: argon2 format, legacy migration, file permissions
1.6 KiB
1.6 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
Reporting a Vulnerability
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via:
- Email: devitway@gmail.com
- Telegram: @DevITWay (private message)
What to Include
- Type of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response Timeline
- Initial response: within 48 hours
- Status update: within 7 days
- Fix timeline: depends on severity
Severity Levels
| Severity | Description | Response |
|---|---|---|
| Critical | Remote code execution, auth bypass | Immediate fix |
| High | Data exposure, privilege escalation | Fix within 7 days |
| Medium | Limited impact vulnerabilities | Fix in next release |
| Low | Minor issues | Scheduled fix |
Security Best Practices
When deploying NORA:
- Enable authentication - Set
NORA_AUTH_ENABLED=true - Use HTTPS - Put NORA behind a reverse proxy with TLS
- Limit network access - Use firewall rules
- Regular updates - Keep NORA updated to latest version
- Secure credentials - Use strong passwords, rotate tokens
Acknowledgments
We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities in our release notes and CHANGELOG, unless the reporter requests anonymity.
If you have previously reported a vulnerability and would like to be credited, please let us know.