The following versions of NextDeploy are currently receiving security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in NextDeploy, please report it responsibly:
- Email: yussuf@hersi.dev or open a GitHub private security advisory
- Include as much of the following as possible:
- Type of vulnerability (e.g. remote code execution, credential leak, SSRF)
- Full path of the affected source file(s)
- Steps to reproduce or a proof-of-concept
- Potential impact and attack scenario
| Timeline | Action |
|---|---|
| Within 48 hours | Acknowledgement of your report |
| Within 7 days | Initial triage and severity assessment |
| Within 30 days | Patch or mitigation plan communicated |
| Post-fix | Public disclosure coordinated with you |
If a vulnerability is accepted, you will be credited in the release notes (unless you prefer to remain anonymous).
If a vulnerability is declined (e.g. out of scope or not reproducible), you will receive a clear explanation.
The following are considered in scope:
cli/— thenextdeployCLI binarydaemon/— thenextdeploydserver daemonshared/— shared libraries used by both- Ansible provisioning playbooks in
cli/cmd/ansible/
The following are out of scope:
- Vulnerabilities in third-party dependencies (please report those upstream)
- Issues in example configs or documentation
- Social engineering attacks
- Store SSH private keys with
chmod 600and never commit them to source control - Use Doppler or another secrets manager — never put secrets directly in
nextdeploy.yml - Rotate your deployment server SSH keys periodically
- Keep the
nextdeploybinary up to date to receive the latest security patches