If you discover a security vulnerability in Nexus, please report it responsibly. Do not open a public issue.

Instead, use GitHub's private vulnerability reporting feature for this repository. This ensures the report stays confidential until a fix is available.

• A description of the vulnerability and its potential impact.
• Steps to reproduce the issue, if possible.
• Any suggested fixes or mitigations.

• Acknowledgment within 3 business days of your report.
• We will work with you to understand and validate the issue.
• A fix will be developed and released as quickly as possible.
• We follow a 90-day disclosure timeline: if we are unable to release a fix within 90 days, we will coordinate with you on public disclosure.

We are happy to credit reporters in release notes and security advisories unless you prefer to remain anonymous.

As Nexus is pre-1.0 and under active development, security fixes will be applied to the latest version on the main branch only.