The following versions of nginx-lua are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.29.7+ | ✅ |
| < 1.29.7 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
If there are any vulnerabilities in nginx-lua, don't hesitate to report them using the contact options listed on this GitHub profile.
A machine-readable security contact is available at .github/security.txt per RFC 9116.
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help triage your report more quickly.
In accordance with the EU Cyber Resilience Act (CRA) Article 11 and NIS2 Directive Article 21(2)(e):
| Action | Timeline |
|---|---|
| Acknowledgement of report | Within 48 hours |
| Initial assessment | Within 5 business days |
| Security advisory (if confirmed) | Within 14 days of confirmation |
| Patch release (critical) | Within 30 days of confirmation |
| Patch release (high) | Within 60 days of confirmation |
| Public disclosure | Coordinated with reporter, max 90 days |
All published Docker images are:
- Signed with cosign (Sigstore)
- Scanned for vulnerabilities with Trivy
- Accompanied by a signed SBOM in CycloneDX format
See SUPPLY_CHAIN_SECURITY.md for full details.
We prefer all communications to be in English.