If you discover a security vulnerability in any Nanto BV project, please report it privately. Do not open a public issue.
Preferred: GitHub private vulnerability reporting on the affected repository.
Email: security@nanto.org
Please include:
- The repository and version (or commit SHA) affected
- A description of the issue and its potential impact
- Steps to reproduce, or a proof-of-concept where possible
- Any suggested mitigation
- Acknowledgement within 48 hours of receiving your report.
- Initial assessment (severity, affected versions, fix path) within 7 days.
- Coordinated disclosure: we will agree a disclosure timeline with you before publishing details. Default embargo is 90 days, or until a fix is released — whichever comes first.
This policy applies to all repositories under the nantobv organization, unless an individual repository publishes its own SECURITY.md overriding these terms.
Out of scope:
- Vulnerabilities in third-party dependencies — report those upstream first; we are happy to help coordinate.
- Issues that require privileged local access the attacker already has.
- Findings from automated scanners without a demonstrable impact.
We will not pursue legal action against researchers who:
- Make a good-faith effort to follow this policy.
- Avoid privacy violations, destruction of data, and interruption of service.
- Give us a reasonable opportunity to remediate before public disclosure.