We take the security of Nomad IDE seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Send an email to the project maintainer with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Status Update: Within 7 days
- Resolution: We aim to resolve critical issues within 30 days
The following are in scope:
- Authentication/authorization bypasses
- Data exposure vulnerabilities
- Remote code execution
- Path traversal attacks
- Cross-site scripting (XSS)
- SQL injection
- Denial of Service attacks
- Social engineering
- Physical security issues
Nomad IDE includes several security features:
- Two-Factor Authentication (TOTP)
- JWT with HttpOnly cookies
- Rate limiting on authentication
- Account lockout after failed attempts
- Path traversal protection
- Security headers via Helmet.js
- Always use HTTPS in production with a reverse proxy
- Set a strong JWT_SECRET (use
openssl rand -base64 32) - Keep the software updated to get security patches
- Limit network access to trusted IPs if possible
- Enable 2FA for all accounts
Thank you for helping keep Nomad IDE and its users safe!