Security
N0CK is built for security testing. We take the security of N0CK itself seriously.
Responsible Disclosure
Found a security issue in N0CK? We appreciate responsible disclosure.
What to Include
- →Description of the vulnerability and its potential impact
- →Steps to reproduce (ideally with a proof-of-concept)
- →Version of N0CK affected (if known)
- →Any mitigations or workarounds you've identified
Our Commitment
- ✓Acknowledge receipt within 48 hours
- ✓Provide regular updates on progress
- ✓Credit you in release notes (if desired)
- ✓No legal action for good-faith research
Security Practices
Code Security
N0CK follows secure coding practices including input validation, output encoding, least-privilege principles, and regular dependency updates. All outbound requests are gated through scope validation.
Data Handling
Evidence is redacted before storage. Credentials are never logged. Secrets must be provided via environment variables, never hardcoded. N0CK does not exfiltrate data to third parties without explicit configuration.
Dependencies
We regularly audit and update dependencies. Known vulnerabilities in dependencies are addressed promptly. Supply chain security is a priority.
Transparency
Security advisories are published in the changelog. Critical issues are disclosed after a fix is available and deployed.
Security Researchers Hall of Fame
We're grateful to security researchers who help keep N0CK secure.
No vulnerabilities have been reported yet. Be the first!
In Scope
We welcome reports on the following:
- •Remote code execution, privilege escalation, SQL injection
- •Authentication bypass, session fixation, CSRF
- •Scope bypass allowing out-of-scope attacks
- •Unintended data exfiltration or credential leakage
- •Critical supply chain vulnerabilities
Out of scope:
- ×Social engineering, physical attacks, DoS/DDoS
- ×Issues in third-party services or dependencies (report to them directly)
- ×Known issues already documented in changelog or GitHub issues