Only the latest minor release receives security patches. Upgrade to the latest version for all fixes.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via:

1. GitHub Private Vulnerability Reporting: Report a vulnerability (preferred)
2. Email: devitway@gmail.com
3. Telegram: @devitway_pavel (private message)

• Type of vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial response: within 48 hours
• Status update: within 7 days
• Fix timeline: depends on severity

The following RustSec advisories are excluded from cargo audit in CI with documented rationale:

Why RS256 is required: GitHub Actions and GitLab CI OIDC providers sign their workload identity tokens with RS256. NORA must verify these signatures to support keyless CI/CD authentication. The rsa crate cannot be removed from the dependency tree without breaking OIDC integration.

Mitigations in place:

• Algorithm whitelist per OIDC provider (algorithms config field)
• Default allowed algorithms: RS256, ES256 (EdDSA ready when providers adopt it)
• Symmetric algorithms (HS256/384/512) rejected globally
• ed25519-dalek already compiled in via jsonwebtoken rust_crypto feature

Transitive dependency flagged as unmaintained. No fix available, no security impact — the crate is functioning correctly.

When deploying NORA:

1. Enable authentication - Set NORA_AUTH_ENABLED=true
2. Use HTTPS - Put NORA behind a reverse proxy with TLS
3. Limit network access - Use firewall rules
4. Regular updates - Keep NORA updated to latest version
5. Secure credentials - Use strong passwords, rotate tokens

We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities in our release notes and CHANGELOG, unless the reporter requests anonymity.

If you have previously reported a vulnerability and would like to be credited, please let us know.