Help

Security Policy

How to report vulnerabilities responsibly and the practices that keep your NexoralDNS deployment safe.

Supported versions

VersionStatus

Latest✓ Always recommended

1.x.x✓ Current stable branch

< 1.0✕ Please upgrade

⛔

Do not use public issues

Never report security vulnerabilities through public GitHub issues. Email security@nexoral.in instead.

Reporting a vulnerability

Emailsecurity@nexoral.in

Subject[SECURITY] Brief description

EncryptionPGP key at nexoral.in/security (optional)

PremiumUse the priority channel, mark URGENT — SECURITY ISSUE

Include: vulnerability type (CWE/CVE), affected components and version, impact assessment, reproduction steps, and suggested mitigation.

Response timeline

StageFreePremium

Initial Response5 business days24 hours

Status UpdateWeeklyEvery 2–3 days

Triage Complete14 days3–5 days

Severity targets

SeverityInitialFix

Critical24h7–14 days

High48h14–30 days

Medium5 days30–60 days

Low10 daysNext release

Best practices

✓Keep NexoralDNS updated

✓Change default credentials immediately

✓Never expose port 53 or 4000 to the public internet

✓Limit dashboard access and review user permissions

✓Monitor query logs for suspicious activity

✓Back up configuration and test restores

Scope — In

✓NexoralDNS server (DNS, DHCP, Broker)

✓Web dashboard & management interface

✓API endpoints and authentication

✓Access control, data storage and encryption

✓Docker containers and installation scripts

Scope — Out

✕Third-party dependency vulnerabilities

✕Social engineering / physical attacks

✕Denial of Service (DoS) attacks

✕User-modified installations

✕Theoretical issues without a practical exploit

ℹ️

Safe harbour

No legal action against researchers acting in good faith who avoid privacy violations and data destruction, and who follow this disclosure policy.