Security Policy

Last updated: March 2026 · Version 1.0

Security Architecture

Nexxus is built in pure Rust with a defense-in-depth security model. Key primitives:

Encryption

Three-layer: ChaCha20-Poly1305 → AES-256-GCM → Argon2id KDF (m=65536, t=4, p=2)

Integrity

BLAKE3 content hashing + HMAC-SHA256 tamper-evident audit chain on all vault files

Anonymity

Optional Tor SOCKS5 routing with per-tab stream isolation to prevent circuit correlation

Memory Safety

100% safe Rust. No unsafe blocks in security-critical paths. ZeroizeOnDrop on all key material

Network

Zero telemetry. No background connections. All connections user-initiated or user-configured

Updates

Manual-only update checks. SHA-256 checksums published for all release binaries

Supported Versions

Security fixes are applied to the latest release only. Users are encouraged to always run the latest version.

Vulnerability Severity

CRITICAL — RCE / key extraction HIGH — Deanonymization / data leak MEDIUM — Integrity bypass LOW — UI/UX security issue

Responsible Disclosure

We practice responsible disclosure. If you discover a security vulnerability in Nexxus:

Do not publicly disclose the vulnerability until a fix is released
Do not exploit the vulnerability beyond what is necessary to demonstrate it
Report the issue privately using the GitHub Security Advisory system (see button below)
Include: affected version, steps to reproduce, potential impact, suggested fix (if any)

We aim to acknowledge reports within 48 hours and release a patch within 14 days for Critical/High severity issues. You will be credited in the security advisory unless you prefer to remain anonymous.

🐛 Report a Vulnerability

Email us directly to report vulnerabilities securely. Your report will be handled confidentially by the Nexxus security team.

Submit Security Report

Scope

In scope for security reports:

Nexxus browser binary (all platforms)
NX-PDF encryption/decryption engine
SilicoNet offline mesh protocol
Tor integration and stream isolation
NXL / Specter scripting engine (sandbox escapes)
Boot scan and security check modules

Out of scope:

Vulnerabilities in third-party websites visited through Nexxus
Issues requiring physical access to a fully compromised device
Social engineering attacks

Security Hall of Fame

Researchers who responsibly disclose valid security vulnerabilities will be acknowledged here. No reports yet — be the first.

Bug Bounty

Nexxus does not currently offer a paid bug bounty program. We offer public recognition and gratitude to researchers who help make Nexxus more secure.