Security & Trust at NDEVR
This is the home for everything about the security of OWL and our software: how to report a vulnerability, the advisories we've published, the security properties of the product, and where we stand on regulatory conformity.
1. Report a vulnerability
Our Coordinated Vulnerability Disclosure policy explains how to report an issue, what we commit to in return (acknowledge in 3 business days, assess in 10, coordinate disclosure), the safe-harbor terms for good-faith research, and what is in and out of scope. Reports that demonstrably break OWL's end-to-end encryption model are especially valued.
2. Security advisories
When we fix a security issue, we publish a security advisory describing the affected products and versions, severity, and remediation. This is the public record of vulnerabilities we've handled.
3. OWL product security
The OWL product security information page describes OWL's security properties — zero-knowledge end-to-end encryption, the cryptography we use, signed updates — and gives guidance for using and operating OWL securely, including the declared security support period.
4. Compliance & conformity
Our compliance & conformity launchpad covers each area of OWL's regulatory conformity — the EU Cyber Resilience Act (CRA), data protection and privacy, and more as our program matures. Each area links to its own page stating clearly what is finalized and what is still in progress; the CRA program in particular is underway ahead of the regulation's phased application.