security.md

NoteBy interacting with the Nord project, organization, and community you agree to abide to itscode of conduct and followgeneral open source contribution guidelines andetiquettes!

This document outlines security procedures and policies for security vulnerabilities in the Nord project.

Nord takes the security of its projects seriously, which includes all (source code) repositories managed throughthis GitHub organization as well as theofficial organization for the Nord community.

If you believe you have found a securityvulnerability []¹ in any Nord-owned repository that meets thedefinition of vulnerabilities, please report it as described below.

Reports should only be related to…

• official Nord projects and ports within thenordtheme GitHub organization, including theofficial website(s).Only code that is actually owned by Nord is supported while issues related to the upstream project of a port must be reported to the corresponding maintainers or companies of the upstream project. Of course Nord will help to report issues to the upstream team but we arenot responsible for security vulnerabilities in upstream projects in any way.
• Nord community projects and ports within thenordtheme-community GitHub organization.The same scope for upstream projects of ports applies like for official Nord projects and ports, but additionally the task of the security vulnerability handling and disclosure process is part of the corresponding maintainer team of the specific Nord community project or port. Of course the Nord core team will aid in closing issues as quickly as possible, but the main administration lies with the respective maintainers.

WarningNever report security vulnerabilities through public GitHub issues or any other public (communication) channel or platform!

Instead, please report security vulnerabilities by either…

• …using GitHub‘s “Private Security Vulnerability Reporting“ system.
• …sending an email tosecurity@nordtheme.com, if you prefer to submit without logging in or creating a GitHub account. If possible, please encrypt your email with Nord‘sAge []² orPGP []³ (GPG) key where both can be foundin the GitHub organization.github repository []⁴ []⁵ and inlined below this list.
• …writing a private message inMatrix to@svengreb:matrix.org or@nordtheme:matrix.org or ask any moderator in the#nordtheme:matrix.org space for further help to submit a report. Alternatively, contactsvengreb#2186 ornordtheme#0637 on theofficial Nord Discord server.Please note that bothcommunity platforms are public areas. When escalating to that address please do not discuss the issue in public, e.g. no private messaging chats, but simply ask for ways to get a hold of someone from the project team if both direct contacts listed above are not available at the moment.

Public keys for encrypted communications:

age10tg5xee38ecn3jgt45quzvkxq2nghlrk4dxpul28tvcmr8ksjfhstmcuar

  -----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEY8QP3BYJKwYBBAHaRw8BAQdAwzx7db39Nn0ipmt/cvLDzwGiTjWD3AfvtvphEy5QWOO0L25vcmR0aGVtZSAoTm9yZCBUaGVtZSkgPHNlY3VyaXR5QG5vcmR0aGVtZS5jb20+iJMEExYKADsWIQRhbe+hBgD3WHC1Pl6oD1Bh26nrkgUCY8QP3AIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCoD1Bh26nrkupJAP4v988C6lOoQ+M4i2yY3DQXDzcboNsV09RaSIr9CHNL0wEA/cXIgoMvEH9kXUh1G26q71wHe2PF3FLqseRjyKiKnwq4OARjxA/cEgorBgEEAZdVAQUBAQdArJ+LNPCjPZ6GjQfRVWNuiKwzI0xKxkUyMvWOxaqa81EDAQgHiHgEGBYKACAWIQRhbe+hBgD3WHC1Pl6oD1Bh26nrkgUCY8QP3AIbDAAKCRCoD1Bh26nrknCPAQDJb2HEMt8SbDyYzDtmBnKHru8CxvBwhenNEVmbv57fOwEApIbZ0Sw9f1BZ89l6At8t1/aO5Uz2WX6usNQYu6DWSA8==PLj5-----END PGP PUBLIC KEY BLOCK-----

Please includeas much information as possible, using the questions listed below as a guideline, to help us better understand the nature and scope of the possible issue and help us triage the report more quickly:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

Note that all communications, following the global standard, must be in English to ensure that the process can take place with as few language barriers as possible and to avoid possible translation problems during the process.

Confirmed vulnerabilities will be investigated and patched as quickly as possible and rolled out to affected users through apatch orminor release version, depending on the status of the current project development, release cycle process and ways to backport to other supported versions.

Resolved security vulnerabilities will be made public asadvisory []⁶ []⁷ on GitHub and, in most cases, additionally announced via other official communication channels and platforms. This might also include a guide on how to apply mitigating steps to aid users in closing the security vulnerability as simply as possible.

Copyright © 2016-presentSven Greb

There aren’t any published security advisories