Skip to content

Security: sohamkakraa/nexus

SECURITY.md

Security policy

Supported versions

Security fixes are applied to the latest release and the main branch.

Reporting a vulnerability

Do not open a public issue for an exploitable vulnerability.

Use GitHub private vulnerability reporting. Include:

  • affected Nexus version, operating system, and processor architecture
  • impact and realistic attack scenario
  • minimal reproduction
  • whether API keys, local files, IPC, MCP, shell commands, Apple Events, or updates are involved
  • suggested mitigation, if known

You should receive acknowledgement within 72 hours. We will coordinate disclosure after a fix is available.

Security boundaries

  • Provider keys are stored through keytar in macOS Keychain, Windows Credential Manager, or a Secret Service-compatible Linux keyring and are owned by the Electron main process.
  • The renderer is sandboxed, context-isolated, and has no Node integration.
  • IPC validates the sender, top frame, trusted renderer URL, and input schema.
  • Shell commands are parsed and executed without a shell.
  • MCP calls and supported system actions require visible approval. Apple Event controls are disabled outside macOS.
  • Diagnostics redact provider-key patterns and exclude prompts/files.
  • The website is static and must never handle provider API keys.

See the architecture, threat model, and public explanation at nexus.sohamkakra.com/security.

There aren't any published security advisories