2024-09-24 Status: Software releases from the nfoTools project are intended primarily for use by software developers and provided as open-source available for inspection and understanding by developers. Some materials are intended to support novices and those wanting to dig deeper into software development.
While there is generally no code that would be installed for end-users, there are potentially "supply-chain" risks that might emerge with the use of an nfoTool dependency in a down-stream development.
Although there are no such cases at this time, these security provisions are in place as a precaution against eventualities where threat surface exposures might arise.
Most considerations of errors and defects can be handled using the project Issues and Discussion topics. As a safe practice, there is also security-reporting support for currently-released nfoTools.
| Version | Supported |
|---|---|
| VCrayApp 0.1.0-beta | ✅ |
Please confine vulnerability reporting to Orcmid on GitHub projects that have supported releases.
To privately report an exploitable vulnerability or exposed threat-surface that pertains to nfoTools, however unlikely, use the GitHub vulnerability reporting provision of the nfoTools Security tab.
If you are unable to exercise that capability, or prefer private email communication, send a digitally-signed plaintext email to orcmid.
If you have reservations about email security/privacy, enclose an ASCII-armored file PGP-encrypted using the orcmid Apache public key.
Finally, if you wish encrypted responses, sign that message before encryption in order for your public key to be available for that purpose.