Skip to content

Security: AlphaBitCore/nexus-mock-provider

Security

SECURITY.md

Security Policy

Scope and intended use

nexus-mock-provider is a test fixture: a mock LLM upstream for load and performance testing. By design it:

  • does not authenticate requests — any credential a client sends is accepted and ignored;
  • echoes request content back in its response;
  • enables permissive CORS.

Do not expose a public instance to untrusted networks, and never send real secrets or personal data to it. Run it on loopback or inside a trusted network, fronted by your own auth/ratelimit if it must be reachable. The bundled systemd unit locks the listener to loopback for this reason.

Reporting a vulnerability

If you find a security issue in the code (e.g. a crash/DoS reachable with a crafted request, or a way the process can be made to leak host data), please report it privately:

  • Use GitHub's "Report a vulnerability" (Security advisories) on this repo, or
  • email the maintainers at the address listed on the organization profile.

Please include reproduction steps and the affected version/commit. We aim to acknowledge within a few business days. Do not open a public issue for undisclosed vulnerabilities.

Supported versions

This project tracks main; fixes land there first and are included in the next tagged release. Only the latest release is supported.

There aren't any published security advisories