Security & Trust at NDEVR

This is the home for everything about the security of OWL and our software: how to report a vulnerability, the advisories we've published, the security properties of the product, and where we stand on regulatory conformity.

Report a security issue: security@ndevr.org · Encrypt with our PGP key (fingerprint 2996 4BF4 2EAE 7E74 F717 498C EBE8 8544 0D3F 68C3) · Machine-readable: /.well-known/security.txt.

Found a vulnerability? Email security@ndevr.org with the affected product and version, the impact, and steps to reproduce. We acknowledge within 3 business days and coordinate disclosure with you. Full terms and safe harbor: our disclosure policy.

1. Report a vulnerability

Our Coordinated Vulnerability Disclosure policy explains how to report an issue, what we commit to in return (acknowledge in 3 business days, assess in 10, coordinate disclosure), the safe-harbor terms for good-faith research, and what is in and out of scope. Reports that demonstrably break OWL's end-to-end encryption model are especially valued.

2. Security advisories

When we fix a security issue, we publish a security advisory describing the affected products and versions, severity, and remediation. This is the public record of vulnerabilities we've handled.

3. OWL product security

The OWL product security information page describes OWL's security properties — zero-knowledge end-to-end encryption, the cryptography we use, signed updates — and gives guidance for using and operating OWL securely, including the declared security support period.

4. Compliance & conformity

Our compliance & conformity launchpad covers each area of OWL's regulatory conformity — the EU Cyber Resilience Act (CRA), data protection and privacy, and more as our program matures. Each area links to its own page stating clearly what is finalized and what is still in progress; the CRA program in particular is underway ahead of the regulation's phased application.