The Nexartis NANDA Node SDK is used in production systems that route agent traffic, broker payments, and maintain trust metadata. Vulnerabilities are taken seriously. Please follow this policy when reporting them.
Email security@nexartis.com with:
- A description of the issue and its impact.
- A minimal reproduction (code, request payload, or steps).
- The SDK version (
@nexartis/nexartis-nanda-node-sdkversion frompackage.jsonorpnpm why) and runtime (Node, Workers, Bun, Deno, browser). - Your preferred contact info for follow-up.
If the report contains sensitive details, request our PGP public key in the initial email and we will respond with a key fingerprint and encrypted channel.
Do not open a public GitHub issue, discussion, or pull request for suspected vulnerabilities. GitHub Private Vulnerability Reporting is also enabled on the repository and is an acceptable alternative channel.
We follow a 90-day coordinated disclosure SLA from the date a report is acknowledged by a maintainer:
| Milestone | Target |
|---|---|
| Initial acknowledgement | Within 3 business days of receipt |
| Triage and severity assessment | Within 10 business days |
| Fix, advisory draft, release plan | Within 45 days for High/Critical |
| Public disclosure + advisory | By day 90, or sooner once a fix ships |
If a report is already being actively exploited, we may accelerate disclosure. Reporters are credited in the published advisory unless they request anonymity.
Security fixes are backported to the supported release lines listed below.
| Version | Supported |
|---|---|
| 1.x (current) | ✅ Yes |
| < 1.0 (pre-release) | ❌ No — upgrade to 1.x |
New major versions receive security fixes for at least 6 months after the next major ships, giving consumers a window to migrate.
Releases published to npmjs.com use trusted publishing (OIDC) from this repository's GitHub Actions workflow and ship with npm provenance attestations. Verify a release before installing:
npm view @nexartis/nexartis-nanda-node-sdk@<version> --json | jq .dist
npm audit signaturesThe provenance field links to the exact GitHub Actions run that produced
the tarball. Any release missing provenance metadata should be treated as
unverified and reported to security@nexartis.com.
In scope:
- Code in this repository (
src/**, build outputs published to npm). - Packaging integrity (provenance, tarball contents, install scripts).
Out of scope:
- Vulnerabilities in third-party services the SDK communicates with (report those to the service operator).
- Denial of service from unrealistic traffic levels against public endpoints.
- Issues that require physical or privileged local access to a developer's machine.
We will not pursue legal action against researchers who:
- Act in good faith and avoid privacy violations, data destruction, or service disruption.
- Give us a reasonable window to remediate before public disclosure.
- Do not exploit the vulnerability beyond what is necessary to demonstrate impact.