NetTools Hub is a purely static navigation platform β it ships pre-rendered HTML, CSS, and JavaScript to GitHub Pages. There is no server, no database, no user accounts, and no API keys stored in the application code or the deployed bundle.
| Version | Supported |
|---|---|
main (latest) |
β Active |
| Older deployments | main |
Because the project is static and dependency-light, security exposure is limited to:
- Build-time supply chain β npm packages and GitHub Actions versions pinned in
pnpm-lock.yamland.github/workflows/deploy.yml. - Content integrity of
data/projects.jsonβ links and descriptions only; no executable code.
Please do not open a public GitHub Issue for security-sensitive reports.
Instead, use one of these private channels:
- GitHub Security Advisories (preferred): https://github.com/badhope/NetTools-Hub/security/advisories/new
- Email: open a private issue against a maintainer via their GitHub profile (https://github.com/badhope).
- A clear, descriptive title
- A reproduction path (URL, build command, browser, OS)
- An assessment of impact and likelihood
- A suggested fix or mitigation, if you have one
- Whether you'd like to be credited in the advisory
| Step | Timeline |
|---|---|
| Acknowledgement | within 3 business days |
| Initial triage & severity assessment | within 7 business days |
| Patch (or documented mitigation) | within 30 days for Critical / High issues |
| Public disclosure | coordinated with the reporter, typically after a fix is shipped |
We follow coordinated disclosure β please give us a reasonable window before publishing details.
- Cross-site scripting (XSS) via the static build, sitemap, or robots output
- Content injection in
data/projects.jsonthat could lead to XSS in the deployed site - Vulnerable dependencies in
package.json/pnpm-lock.yaml - Tampered CI artifacts or compromised GitHub Actions versions
- Unsafe defaults in
.github/workflows/deploy.yml(e.g. overly broadpermissions:)
- Third-party projects linked from
data/projects.jsonβ please report those to the upstream maintainers directly. - GitHub Pages infrastructure itself β escalate to GitHub Support.
- Network policies of the user's environment β the project has no influence over which tools users can or cannot run.
- Never commit secrets (API keys, tokens, credentials) β the repo is public and history rewrites are destructive.
Even a one-line
.envis enough; use.env.exampleas a template. - Pin GitHub Actions to a full commit SHA in
.github/workflows/deploy.ymlfor high-risk steps, or stay on a current major tag (@v4) for routine ones. - Validate
data/projects.jsonwithpnpm lintbefore pushing β schema drift can break the build. - Don't load remote scripts at runtime in components; the project is intentionally self-hosted.
We are happy to credit reporters in the security advisory (or to keep it anonymous β your choice). By submitting a report, you confirm the information is provided in good faith and that you will keep the details confidential until coordinated disclosure.
Thank you for helping keep NetTools Hub and its users safe. π