If you believe you have found a security vulnerability in this project, report it privately by email to:
security@nowsecure.com
Please do not open a public GitHub issue for suspected vulnerabilities.
When possible, include:
- A clear description of the issue
- Affected versions, commits, or deployment context
- Reproduction steps or proof of concept
- The potential impact
- Any suggested mitigation if you have one
If your question is a product, deployment, configuration, or customer support issue rather than a security vulnerability, contact:
support@nowsecure.com
Examples of support requests include:
- Installation or upgrade help
- Configuration questions
- Operational troubleshooting
- General product usage questions
NowSecure supports coordinated disclosure for security vulnerabilities in this project.
Our expectations are:
- Report vulnerabilities privately to
security@nowsecure.com - Give us a reasonable opportunity to investigate, confirm, and remediate before public disclosure
- Do not publicly disclose details, proof of concept, or exploit steps until remediation is available or we agree on a disclosure timeline
- Make a good-faith effort to avoid privacy violations, service disruption, data destruction, or unauthorized access beyond what is necessary to demonstrate the issue
Our goals are:
- Acknowledge receipt of the report as quickly as practical
- Investigate and validate the issue
- Work toward remediation and coordinated communication
- Credit researchers when appropriate and desired
This policy applies to security vulnerabilities in the source code and published releases of this repository.
If you are unsure whether something is a security issue or a support issue,
send it to security@nowsecure.com and include the context you have.
Please avoid sharing sensitive details in public GitHub issues, pull requests, discussions, or commit messages.
If a public report is accidentally opened for a suspected vulnerability, maintainers may limit discussion and ask that the report be resubmitted privately.