Nitrox does not currently satisfy all ideal security goals. For now authenticity and integrity in the communication between client and server is not implemented (see issue #1996). Therefore users should be aware that all packets sent and received could be manipulated to alter the in-game state or the game world independent of access rights.
The vulnerabilities we are most concerned about are vulnerabilities where the game or client->server->other clients environment is broken out of.
For example, any Remote Code Execution vulnerabilities(RCEs) or the gathering of personal information (except IPs required for the system to function) from clients or servers are severe vulnerabilities which will be immediately addressed. This also includes any access to files and folders that Nitrox does not normally make accessible (for example the world save files are generally accessible).

As this project is still rapidly evolving and in a beta state we will only provide security updates to the newest version available.

To discreetly report a vulnerability please get in touch with one of our support staff on our discord. Your request will be forwarded to one of the devs which will get in touch with you privately to further discuss and investigate the issue.
Once the issue is reproduced by the team, work will be started on a fix. You will be informed once the issue has been fixed and when the fix was included in a new release.
You are only allowed to publicly disclose the vulnerability one week after the mentioned release to give the users time to update their software.