NDEVR Security Advisories
This page lists security vulnerabilities we have fixed in NDEVR OWL and our applications, with the affected products and versions, a severity rating, a description, and how to remediate. It is the public side of our coordinated vulnerability disclosure program.
1. How we publish
We publish an advisory for any security vulnerability that affected a released build of an NDEVR product, in coordination with the reporter, once a fix is broadly available (by default within 90 days of the report, or sooner when a fix ships). Advisories are listed newest-first under §4.
Each fixed vulnerability also ships as a security-flagged update: the build is marked as a security release and graded by severity, so an out-of-date client can tell a security fix apart from a feature update and surface it. See §5.
2. Advisory format
Every advisory below follows the same structure, so the important facts are easy to find:
| Field | Meaning |
|---|---|
| Advisory ID | A stable identifier, e.g. NDEVR-2026-0001. A CVE ID is added when one is assigned. |
| Published / Updated | The date the advisory was first published and last revised. |
| Severity | Low / Medium / High / Critical — see §3. |
| Affected products & versions | Which products and version ranges are affected. |
| Fixed in | The first version of each product that contains the fix. |
| Description | What the issue is, its impact, and (after remediation) enough detail to understand it. |
| Remediation | What to do — usually "update to the fixed version"; any workaround if no update is available. |
| Credit | The reporter, with their permission. |
3. Severity ratings
We grade each advisory so you can prioritize. The same grades label our security-flagged releases.
| Severity | What it means |
|---|---|
| Critical | Remotely exploitable with no interaction, or a break of OWL's end-to-end encryption / account isolation. Update immediately. |
| High | Serious impact (e.g. unauthorized data access or account takeover) but with some precondition. Update promptly. |
| Medium | Limited impact or significant preconditions (e.g. requires a local position or specific configuration). |
| Low | Minor impact or hard-to-exploit; defense-in-depth hardening. |
4. Published advisories
5. Staying up to date
The most reliable protection is to run a current version:
- Desktop & OWL clients check for updates automatically. A security fix arrives flagged as a security update with its severity, so it is surfaced distinctly from ordinary releases — apply it when prompted.
- Watch this page and /.well-known/security.txt for the canonical contact and any future advisory feed.
- Report something you've found to security@ndevr.org; encrypt sensitive details with our PGP key. Our full process, timelines, and safe-harbor terms are on the disclosure policy page.