Coordinated Vulnerability Disclosure Policy

NDEVR takes the security of OWL and our software seriously. If you believe you've found a security vulnerability, we want to hear from you — and we'll work with you to resolve it.

Contact: security@ndevr.org · Encrypt sensitive reports with our PGP key (fingerprint 2996 4BF4 2EAE 7E74 F717 498C EBE8 8544 0D3F 68C3) · Published fixes: Security advisories · Back to the Security hub.

The short version. Email security@ndevr.org with the affected product and version, the impact, and steps to reproduce. We'll acknowledge within 3 business days, assess within 10, keep you posted, and coordinate disclosure with you. Act in good faith and we won't pursue legal action.

1. How to report

Email security@ndevr.org. For sensitive reports, encrypt your message with our PGP key.

Please include:

  • the affected product and version,
  • a description of the issue and its impact,
  • step-by-step reproduction (a proof-of-concept is welcome).

One issue per report, please. OWL is end-to-end encrypted — reports that demonstrably break that model are especially valued.

2. Our commitment

When you report in good faith, we will:

  • acknowledge your report within 3 business days;
  • give you an assessment and an expected remediation timeline within 10 business days;
  • keep you updated as we work on a fix;
  • coordinate public disclosure with you — by default within 90 days of your report, or when a fix is broadly available, whichever is sooner;
  • publish a security advisory describing the issue, affected versions, and remediation once a fix is broadly available;
  • credit you in the advisory, with your permission.

3. Safe harbor

We will not pursue or support legal action against researchers who act in good faith under this policy: who make a genuine effort to avoid privacy violations, data destruction, and service disruption; who only interact with accounts they own or have explicit permission to access; who do not access, modify, or retain other users' data; and who give us reasonable time to remediate before any public disclosure.

4. Scope

In scope: ndevr.org, the OWL server and clients (desktop, web, and command-line), and NDEVR applications.

Out of scope: third-party services and dependencies (please report those to their maintainers), volumetric denial-of-service, social engineering of NDEVR staff or users, physical attacks, and findings that require an already-compromised device or a privileged local position.

5. Bug bounty

We don't currently offer monetary rewards, but we recognize good-faith researchers publicly with credit in our security advisories.

Preferred language: English. Machine-readable contact details: /.well-known/security.txt.