Note By interacting with the Nord project, organization, and community you agree to abide to its code of conduct and follow general open source contribution guidelines and etiquettes!

This document outlines security procedures and policies for security vulnerabilities in the Nord project.

Nord takes the security of its projects seriously, which includes all (source code) repositories managed through this GitHub organization as well as the official organization for the Nord community.

If you believe you have found a security vulnerability []¹ in any Nord-owned repository that meets the definition of vulnerabilities, please report it as described below.

Reports should only be related to…

• official Nord projects and ports within the nordtheme GitHub organization, including the official website(s). Only code that is actually owned by Nord is supported while issues related to the upstream project of a port must be reported to the corresponding maintainers or companies of the upstream project. Of course Nord will help to report issues to the upstream team but we are not responsible for security vulnerabilities in upstream projects in any way.
• Nord community projects and ports within the nordtheme-community GitHub organization. The same scope for upstream projects of ports applies like for official Nord projects and ports, but additionally the task of the security vulnerability handling and disclosure process is part of the corresponding maintainer team of the specific Nord community project or port. Of course the Nord core team will aid in closing issues as quickly as possible, but the main administration lies with the respective maintainers.

Warning Never report security vulnerabilities through public GitHub issues or any other public (communication) channel or platform!

Instead, please report security vulnerabilities by either…

• …using GitHub‘s “Private Security Vulnerability Reporting“ system.
• …sending an email to security@nordtheme.com, if you prefer to submit without logging in or creating a GitHub account. If possible, please encrypt your email with Nord‘s Age []² or PGP []³ (GPG) key where both can be found in the GitHub organization .github repository []⁴ []⁵ and inlined below this list.
• …writing a private message in Matrix to @svengreb:matrix.org or @nordtheme:matrix.org or ask any moderator in the #nordtheme:matrix.org space for further help to submit a report. Alternatively, contact svengreb#2186 or nordtheme#0637 on the official Nord Discord server. Please note that both community platforms are public areas. When escalating to that address please do not discuss the issue in public, e.g. no private messaging chats, but simply ask for ways to get a hold of someone from the project team if both direct contacts listed above are not available at the moment.

Public keys for encrypted communications:

    age10tg5xee38ecn3jgt45quzvkxq2nghlrk4dxpul28tvcmr8ksjfhstmcuar
  

  -----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEY8QP3BYJKwYBBAHaRw8BAQdAwzx7db39Nn0ipmt/cvLDzwGiTjWD3Afvtvph
Ey5QWOO0L25vcmR0aGVtZSAoTm9yZCBUaGVtZSkgPHNlY3VyaXR5QG5vcmR0aGVt
ZS5jb20+iJMEExYKADsWIQRhbe+hBgD3WHC1Pl6oD1Bh26nrkgUCY8QP3AIbAwUL
CQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCoD1Bh26nrkupJAP4v988C6lOo
Q+M4i2yY3DQXDzcboNsV09RaSIr9CHNL0wEA/cXIgoMvEH9kXUh1G26q71wHe2PF
3FLqseRjyKiKnwq4OARjxA/cEgorBgEEAZdVAQUBAQdArJ+LNPCjPZ6GjQfRVWNu
iKwzI0xKxkUyMvWOxaqa81EDAQgHiHgEGBYKACAWIQRhbe+hBgD3WHC1Pl6oD1Bh
26nrkgUCY8QP3AIbDAAKCRCoD1Bh26nrknCPAQDJb2HEMt8SbDyYzDtmBnKHru8C
xvBwhenNEVmbv57fOwEApIbZ0Sw9f1BZ89l6At8t1/aO5Uz2WX6usNQYu6DWSA8=
=PLj5
-----END PGP PUBLIC KEY BLOCK-----

Please include as much information as possible, using the questions listed below as a guideline, to help us better understand the nature and scope of the possible issue and help us triage the report more quickly:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

Note that all communications, following the global standard, must be in English to ensure that the process can take place with as few language barriers as possible and to avoid possible translation problems during the process.

Confirmed vulnerabilities will be investigated and patched as quickly as possible and rolled out to affected users through a patch or minor release version, depending on the status of the current project development, release cycle process and ways to backport to other supported versions.

Resolved security vulnerabilities will be made public as advisory []⁶ []⁷ on GitHub and, in most cases, additionally announced via other official communication channels and platforms. This might also include a guide on how to apply mitigating steps to aid users in closing the security vulnerability as simply as possible.

Copyright © 2016-present Sven Greb