| Version | Supported | Notes |
|---|---|---|
| 0.2.x | ✅ | Latest alpha line |
| 0.1.x | ✅ | Critical fixes only |
| < 0.1 | ❌ | End-of-life |
We follow Semantic Versioning as soon as we hit 1.0.0.
Before that, breaking changes may land in any minor release.
-
Private disclosure first.
Please do not open public GitHub issues for security bugs. -
How to report
- To report a vulnerability, please use the GitHub disclosure in the security tab to alert us to a security issue.
-
What to include
– A minimal PoC or reproduction steps
– Affected Nyx version (nyx --version) and OS
– Impact explanation (e.g. RCE, DoS, data leak) -
Response timeline
We acknowledge within 3 business days and give a status update every 7 days thereafter until resolution.
- We confirm the issue and assign a CVE (via GitHub or MITRE).
- A fix is developed on a private branch and back-ported if needed.
- Coordinated release: new version on crates.io + public advisory.
- Credit is given to the reporter unless they request anonymity.
This policy covers vulnerabilities that let an untrusted Nyx input cause:
- Remote or local code execution in the Nyx process
- Privilege escalation, data exfiltration, or denial of service
False positives / missed detections in scan results are quality issues, not security issues—please file normal GitHub issues for those.