If you discover a security vulnerability in NexusEye, please do not open a public issue.

Instead, report it responsibly:

1. Email: Send details to the maintainer via GitHub private advisory
2. Include: A clear description of the vulnerability, steps to reproduce, and potential impact
3. Response: You can expect an initial response within 48 hours

The following are in scope for security reports:

• Authentication bypass or token forgery
• Unauthorized access to scan data or other users' resources
• Remote code execution via scan inputs or API parameters
• SQL injection, NoSQL injection, or Elasticsearch query injection
• Server-Side Request Forgery (SSRF)
• Privilege escalation (user → admin)

• Scanning third-party networks without authorization (this is a user responsibility)
• Denial of service via legitimate scan operations
• Issues in third-party dependencies (report upstream)

We follow a 90-day disclosure policy. After a fix is released, we will publicly acknowledge your contribution (with your permission).

_{Maintained by @mrceha}