Skip to content

Security: nantobv/.github

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in any Nanto BV project, please report it privately. Do not open a public issue.

Preferred: GitHub private vulnerability reporting on the affected repository.

Email: security@nanto.org

Please include:

  • The repository and version (or commit SHA) affected
  • A description of the issue and its potential impact
  • Steps to reproduce, or a proof-of-concept where possible
  • Any suggested mitigation

What to Expect

  • Acknowledgement within 48 hours of receiving your report.
  • Initial assessment (severity, affected versions, fix path) within 7 days.
  • Coordinated disclosure: we will agree a disclosure timeline with you before publishing details. Default embargo is 90 days, or until a fix is released — whichever comes first.

Scope

This policy applies to all repositories under the nantobv organization, unless an individual repository publishes its own SECURITY.md overriding these terms.

Out of scope:

  • Vulnerabilities in third-party dependencies — report those upstream first; we are happy to help coordinate.
  • Issues that require privileged local access the attacker already has.
  • Findings from automated scanners without a demonstrable impact.

Safe Harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to follow this policy.
  • Avoid privacy violations, destruction of data, and interruption of service.
  • Give us a reasonable opportunity to remediate before public disclosure.

There aren't any published security advisories