This project is currently in alpha. It is under active, rapid development and security issues are expected as the design and implementation evolve.

We strongly encourage responsible disclosure and collaboration while the project matures.

Do not report security issues publicly.

• ❌ Do not open public GitHub issues for security vulnerabilities
• ❌ Do not disclose vulnerabilities in discussions, PRs, or social channels

Instead, report vulnerabilities privately via GitHub Security Advisories:

👉 https://github.com/always-further/nono/security/advisories/new

This ensures:

• Coordinated disclosure
• Time to assess and remediate
• Protection for users and contributors

If a vulnerability is identified by a Large Language Model (LLM):

• ❌ Do not report it blindly
• ✅ Ensure you fully understand and can explain the issue
• ✅ Validate the impact and reproducibility

Low-quality or speculative reports slow down response time and reduce overall security effectiveness.

Given the alpha status:

• Breaking changes may occur without notice
• Security guarantees are not yet stable
• Some classes of vulnerabilities may not yet be fully mitigated

Use in production environments is not recommended at this stage.

Prior to reaching v1.0, the project will undergo:

• A comprehensive third-party security audit
• Hardening of core components and interfaces
• Formalization of security guarantees and threat models

We aim to:

• Acknowledge reports promptly
• Investigate and validate findings
• Provide fixes or mitigations where possible
• Coordinate disclosure with reporters

When conducting security research in good faith and in accordance with this policy, we consider your research to be authorized. We will not initiate legal action against you for research that adheres to these guidelines.

Responsible disclosure helps make this project safer for everyone.