This repository contains an installer for the open source NATS client tools, and manages nightly builds by Synadia of those tools, for use by that installer.
So that you know who you're talking to:
- NATS is an open source project under CNCF aegis
- Synadia Communications, Inc are the primary developers of NATS
ConnectEverythingis the GitHub Organization of Synadia Communications
The open source tools are:
The security policy for those tools, together with past advisories, etc can be found at:
If you use the GitHub private reporting on this repository, for an open source tool, then the maintainers here will route your request to the right people, but it's not ideal.
- Open Source: mailto:security@nats.io
- Synadia: mailto:security@synadia.com
(As an implementation detail, they might happen to be the same thing.)
- Both
synadia.comandnats.iocan safely be configured in your mail-systems to coerce TLS. - Most folks reading that list do not use OpenPGP. If you believe that the
use of OpenPGP is warranted, then, since security@ is a non-reencrypting
mailing-list (sorry)
- Reach out to find who will take your report
- Both domains have WKD set up to provide OpenPGP keys via a trusted path
In this repository, client-tools, you will find:
- An installer script for end-users to run on their machines
install.shfor POSIX-ish systemsinstall.ps1for Windows systems
- Copies of the public keys used to sign artifacts
- The configuration which creates nightly builds of the open source tools
- The website framework for
get-nats.io - Example completion files and shell configuration for zsh
Any of the things specific to this repository can and should be reported to Synadia.
You can use the private-report functionality of this repo, or the mailing-list above, at your discretion.
At this time, there is no bug bounty system in place for either Synadia or NATS.
If you'd like some swag, we can happily oblige.