NDEVR Security Advisories

This page lists security vulnerabilities we have fixed in NDEVR OWL and our applications, with the affected products and versions, a severity rating, a description, and how to remediate. It is the public side of our coordinated vulnerability disclosure program.

Report a vulnerability: security@ndevr.org · Machine-readable contact: /.well-known/security.txt · Disclosure policy: Security & Vulnerability Disclosure.

No advisories have been published yet. When we fix a security issue that affected a released build, we publish the advisory here once a fix is broadly available — see §2 for the structure each entry follows and §5 for how to make sure you receive the fix.

1. How we publish

We publish an advisory for any security vulnerability that affected a released build of an NDEVR product, in coordination with the reporter, once a fix is broadly available (by default within 90 days of the report, or sooner when a fix ships). Advisories are listed newest-first under §4.

Each fixed vulnerability also ships as a security-flagged update: the build is marked as a security release and graded by severity, so an out-of-date client can tell a security fix apart from a feature update and surface it. See §5.

2. Advisory format

Every advisory below follows the same structure, so the important facts are easy to find:

FieldMeaning
Advisory IDA stable identifier, e.g. NDEVR-2026-0001. A CVE ID is added when one is assigned.
Published / UpdatedThe date the advisory was first published and last revised.
SeverityLow / Medium / High / Critical — see §3.
Affected products & versionsWhich products and version ranges are affected.
Fixed inThe first version of each product that contains the fix.
DescriptionWhat the issue is, its impact, and (after remediation) enough detail to understand it.
RemediationWhat to do — usually "update to the fixed version"; any workaround if no update is available.
CreditThe reporter, with their permission.

3. Severity ratings

We grade each advisory so you can prioritize. The same grades label our security-flagged releases.

SeverityWhat it means
CriticalRemotely exploitable with no interaction, or a break of OWL's end-to-end encryption / account isolation. Update immediately.
HighSerious impact (e.g. unauthorized data access or account takeover) but with some precondition. Update promptly.
MediumLimited impact or significant preconditions (e.g. requires a local position or specific configuration).
LowMinor impact or hard-to-exploit; defense-in-depth hardening.

4. Published advisories

Newest first.

None to date. No security advisories have been published. This is expected for a product that has not yet had a disclosed, fixed vulnerability — the page and its format are in place so the first advisory can be published without delay. Subscribe to updates as described in §5 to be notified when one is.

5. Staying up to date

The most reliable protection is to run a current version:

  • Desktop & OWL clients check for updates automatically. A security fix arrives flagged as a security update with its severity, so it is surfaced distinctly from ordinary releases — apply it when prompted.
  • Watch this page and /.well-known/security.txt for the canonical contact and any future advisory feed.
  • Report something you've found to security@ndevr.org; encrypt sensitive details with our PGP key. Our full process, timelines, and safe-harbor terms are on the disclosure policy page.