Skip to main content

Security Policy

Supported versions

As Nexus is pre-1.0 and under active development, security fixes are applied to the latest version on the main branch only. Once Nexus reaches 1.0 this policy will be updated to cover the current major version line.

Reporting a vulnerability

If you discover a security vulnerability in Nexus, report it responsibly. Do not open a public issue.

Use GitHub's private vulnerability reporting feature. This keeps the report confidential until a fix is released and allows coordinated disclosure.

What to include

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue, if possible
  • Any suggested fixes or mitigations

What to expect

  • Acknowledgment within 3 business days of your report
  • We will work with you to understand and validate the issue
  • A fix will be developed and released as quickly as possible
  • We follow a 90-day disclosure timeline: if a fix cannot be released within 90 days, we coordinate with you on public disclosure

Credit

We are happy to credit reporters in release notes and security advisories unless you prefer to remain anonymous.

Scope

Security issues in any of the following are in scope:

  • Authentication and authorization bypass in nexus-http-auth
  • Arbitrary code execution via deserialization in nexus-serialization
  • Information disclosure through dead letter or persistence stores
  • Privilege escalation via the worker pool or cluster transport
  • Denial of service via mailbox exhaustion or scheduling loops

Issues in third-party dependencies should be reported upstream. If a dependency vulnerability directly affects Nexus users, open a private advisory so we can coordinate a dependency update.