Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private vulnerability reporting to submit a confidential advisory. The maintainers will be notified immediately and can collaborate with you privately.

Send a detailed report to security@nexus.chat (PGP key available on keys.openpgp.org).

• A clear description of the vulnerability and its potential impact
• Step-by-step reproduction instructions (proof-of-concept code if available)
• The affected component(s) and version(s)
• Your suggested severity (Critical / High / Medium / Low)
• Any proposed mitigations

We follow coordinated disclosure. We ask that you give us the time frames above to address the issue before any public disclosure. Once a fix is released, we will:

1. Publish a GitHub Security Advisory
2. Release a patched version on the same day
3. Add a changelog entry crediting the reporter (if desired)
4. Request a CVE if warranted

• Authentication and authorisation bypasses
• Remote code execution (RCE)
• SQL/NoSQL injection
• Cross-site scripting (XSS) in the web client
• Information disclosure of private user data
• Denial of service attacks on the server
• SSRF vulnerabilities in federation / media proxying
• Cryptographic weaknesses in federation key signing

• Self-hosted deployments running behind misconfigured infrastructure that Nexus does not control
• Social engineering attacks targeting contributors
• Physical attacks
• Issues already known and documented in open GitHub issues

This project uses:

• cargo-audit — scans for known vulnerabilities in Rust dependencies (runs on every CI push via cargo audit)
• cargo-deny — enforces licence and advisory policies on every CI push
• GitHub Dependabot — automated pull requests for dependency updates

We sincerely thank all security researchers who responsibly disclose vulnerabilities. Contributors who report valid security issues will be credited in the advisory and in our CONTRIBUTORS.md (unless they prefer to remain anonymous).