taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-13 03:50:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7682224e459ea2f263cc9177350e3eccc1466b06
nora/SECURITY.md
devitway 7682224e45 docs: fix env vars, ports, remove stale docs/, unify with getnora.dev 
- README: NORA_DOCKER_UPSTREAMS -> NORA_DOCKER_PROXIES, remove phantom NORA_LOG_LEVEL/FORMAT, add NORA_AUTH_ANONYMOUS_READ, NORA_RATE_LIMIT_ENABLED, nora gc, Documentation section
- SECURITY: add 0.4.x, 0.5.x to supported versions
- COMPAT: /swagger-ui/ -> /api-docs
- llms.txt: fix env vars (RUST_LOG, NORA_DOCKER_PROXIES), rate limit default true
- docker-compose: add NORA_HOST=0.0.0.0
- docs-ru: getnora.io -> getnora.dev, fix download URL, NORA_DOCKER_PROXIES
- tests count: 460+ -> 570+
2026-04-12 17:30:06 +00:00

1.7 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
0.5.x
0.4.x
0.3.x
0.2.x
< 0.2

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via:

  1. Email: devitway@gmail.com
  2. Telegram: @DevITWay (private message)

What to Include

  • Type of vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

Response Timeline

  • Initial response: within 48 hours
  • Status update: within 7 days
  • Fix timeline: depends on severity

Severity Levels

Severity Description Response
Critical Remote code execution, auth bypass Immediate fix
High Data exposure, privilege escalation Fix within 7 days
Medium Limited impact vulnerabilities Fix in next release
Low Minor issues Scheduled fix

Security Best Practices

When deploying NORA:

  1. Enable authentication - Set NORA_AUTH_ENABLED=true
  2. Use HTTPS - Put NORA behind a reverse proxy with TLS
  3. Limit network access - Use firewall rules
  4. Regular updates - Keep NORA updated to latest version
  5. Secure credentials - Use strong passwords, rotate tokens

Acknowledgments

We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities in our release notes and CHANGELOG, unless the reporter requests anonymity.

If you have previously reported a vulnerability and would like to be credited, please let us know.

Reference in New Issue View Git Blame Copy Permalink