Buriburizaemon/nodewarden
1
0
Fork 0
mirror of https://github.com/shuaiplus/nodewarden.git synced 2026-06-22 21:50:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3f785febc875a3008b6858248d7d430d898e3c00
nodewarden/SECURITY.md
T
Shuai 3f785febc8 Add SECURITY.md 
Add security reporting policy and vulnerability disclosure guidance.
2026-06-23 00:07:46 +08:00

2.8 KiB
Raw Blame History

Security Policy

Reporting a Vulnerability

Thank you for helping keep NodeWarden safe.

Please do not report security vulnerabilities through public GitHub issues, discussions, pull requests, or chat groups.

Use GitHub Private Vulnerability Reporting instead:

  1. Open the NodeWarden repository on GitHub.
  2. Go to Security and quality.
  3. Click Report a vulnerability.
  4. Submit the report privately.

NodeWarden is independent from Bitwarden. Please do not report NodeWarden-specific issues to the official Bitwarden team.

What to Include

Please include as much detail as possible:

  • A clear description of the vulnerability.
  • Steps to reproduce.
  • Affected version, commit, or deployment method.
  • Affected area, such as login, sync, vault data, attachments, Send, import/export, backup/restore, Passkey, WebAuthn, or API routes.
  • Expected behavior and actual behavior.
  • Security impact, such as authentication bypass, authorization bypass, replay, cross-user access, token misuse, data leakage, or secret exposure.
  • Proof of concept, logs, screenshots, or request examples, if safe to share privately.

Please redact real passwords, tokens, private keys, recovery keys, vault data, and other secrets before submitting.

Scope

Security reports are welcome for issues affecting NodeWarden itself, including:

  • Authentication and session handling.
  • User authorization and cross-user access.
  • Vault data, cipher sync, attachments, and Send.
  • Import, export, backup, and restore.
  • Passkey, WebAuthn, and two-factor authentication.
  • Secret handling and provider credentials.
  • Cloudflare Workers, D1, R2, KV, WebDAV, or S3 behavior caused by NodeWarden code or documentation.

Out of Scope

The following are usually out of scope:

  • Issues only affecting third-party services or user infrastructure.
  • Misconfigured personal deployments not caused by NodeWarden defaults.
  • Social engineering or phishing.
  • Denial-of-service testing.
  • Scanner-only reports without a practical exploit path.
  • Reports that only mention outdated dependencies without showing real impact.

Response

NodeWarden is maintained on a best-effort basis.

We aim to acknowledge valid private reports within 72 hours, investigate the issue, and release a fix or mitigation when appropriate.

Please do not publicly disclose vulnerability details before a fix or mitigation is available.

Supported Versions

Security fixes are generally provided for the latest release and the latest code on the default branch.

Version Supported
Latest release Yes
main branch Yes
Older releases Best effort
Modified forks Not directly supported

Rewards

NodeWarden does not currently operate a paid bug bounty program.

Reference in New Issue View Git Blame Copy Permalink