Skip to content

Security: nordtheme/web

Security

security.md

Security Policies And Procedures

Note By interacting with the Nord project, organization, and community you agree to abide to its code of conduct and follow general open source contribution guidelines and etiquettes!

This document outlines security procedures and policies for security vulnerabilities in the Nord project.

Nord takes the security of its projects seriously, which includes all (source code) repositories managed through this GitHub organization as well as the official organization for the Nord community.

If you believe you have found a security vulnerability []1 in any Nord-owned repository that meets the definition of vulnerabilities, please report it as described below.

Scope

Reports should only be related to…

  • official Nord projects and ports within the nordtheme GitHub organization, including the official website(s). Only code that is actually owned by Nord is supported while issues related to the upstream project of a port must be reported to the corresponding maintainers or companies of the upstream project. Of course Nord will help to report issues to the upstream team but we are not responsible for security vulnerabilities in upstream projects in any way.
  • Nord community projects and ports within the nordtheme-community GitHub organization. The same scope for upstream projects of ports applies like for official Nord projects and ports, but additionally the task of the security vulnerability handling and disclosure process is part of the corresponding maintainer team of the specific Nord community project or port. Of course the Nord core team will aid in closing issues as quickly as possible, but the main administration lies with the respective maintainers.

Reporting Security Issues

Warning Never report security vulnerabilities through public GitHub issues or any other public (communication) channel or platform!

Instead, please report security vulnerabilities by either…

Public keys for encrypted communications:

Age
    age10tg5xee38ecn3jgt45quzvkxq2nghlrk4dxpul28tvcmr8ksjfhstmcuar
  
PGP (GPG)

  -----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEY8QP3BYJKwYBBAHaRw8BAQdAwzx7db39Nn0ipmt/cvLDzwGiTjWD3Afvtvph Ey5QWOO0L25vcmR0aGVtZSAoTm9yZCBUaGVtZSkgPHNlY3VyaXR5QG5vcmR0aGVt ZS5jb20+iJMEExYKADsWIQRhbe+hBgD3WHC1Pl6oD1Bh26nrkgUCY8QP3AIbAwUL CQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCoD1Bh26nrkupJAP4v988C6lOo Q+M4i2yY3DQXDzcboNsV09RaSIr9CHNL0wEA/cXIgoMvEH9kXUh1G26q71wHe2PF 3FLqseRjyKiKnwq4OARjxA/cEgorBgEEAZdVAQUBAQdArJ+LNPCjPZ6GjQfRVWNu iKwzI0xKxkUyMvWOxaqa81EDAQgHiHgEGBYKACAWIQRhbe+hBgD3WHC1Pl6oD1Bh 26nrkgUCY8QP3AIbDAAKCRCoD1Bh26nrknCPAQDJb2HEMt8SbDyYzDtmBnKHru8C xvBwhenNEVmbv57fOwEApIbZ0Sw9f1BZ89l6At8t1/aO5Uz2WX6usNQYu6DWSA8= =PLj5 -----END PGP PUBLIC KEY BLOCK-----

Please include as much information as possible, using the questions listed below as a guideline, to help us better understand the nature and scope of the possible issue and help us triage the report more quickly:

  • Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
  • Full paths of source file(s) related to the manifestation of the issue
  • The location of the affected source code (tag/branch/commit or direct URL)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit the issue

Note that all communications, following the global standard, must be in English to ensure that the process can take place with as few language barriers as possible and to avoid possible translation problems during the process.

Public Disclosure Process

Confirmed vulnerabilities will be investigated and patched as quickly as possible and rolled out to affected users through a patch or minor release version, depending on the status of the current project development, release cycle process and ways to backport to other supported versions.

Resolved security vulnerabilities will be made public as advisory []6 []7 on GitHub and, in most cases, additionally announced via other official communication channels and platforms. This might also include a guide on how to apply mitigating steps to aid users in closing the security vulnerability as simply as possible.

Copyright © 2016-present Sven Greb

Footnotes

  1. https://csrc.nist.gov/glossary/term/vulnerability

  2. https://age-encryption.org

  3. https://www.openpgp.org

  4. https://github.com/nordtheme/.github/blob/main/data/nordtheme.age.txt.pub

  5. https://github.com/nordtheme/.github/blob/main/data/nordtheme.gpg.asc

  6. https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities

  7. https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure

There aren’t any published security advisories