Coordinated Vulnerability Disclosure Policy
NDEVR takes the security of OWL and our software seriously. If you believe you've found a security vulnerability, we want to hear from you — and we'll work with you to resolve it.
1. How to report
Email security@ndevr.org. For sensitive reports, encrypt your message with our PGP key.
Please include:
- the affected product and version,
- a description of the issue and its impact,
- step-by-step reproduction (a proof-of-concept is welcome).
One issue per report, please. OWL is end-to-end encrypted — reports that demonstrably break that model are especially valued.
2. Our commitment
When you report in good faith, we will:
- acknowledge your report within 3 business days;
- give you an assessment and an expected remediation timeline within 10 business days;
- keep you updated as we work on a fix;
- coordinate public disclosure with you — by default within 90 days of your report, or when a fix is broadly available, whichever is sooner;
- publish a security advisory describing the issue, affected versions, and remediation once a fix is broadly available;
- credit you in the advisory, with your permission.
3. Safe harbor
We will not pursue or support legal action against researchers who act in good faith under this policy: who make a genuine effort to avoid privacy violations, data destruction, and service disruption; who only interact with accounts they own or have explicit permission to access; who do not access, modify, or retain other users' data; and who give us reasonable time to remediate before any public disclosure.
4. Scope
In scope: ndevr.org, the OWL server and clients (desktop, web, and command-line), and NDEVR applications.
Out of scope: third-party services and dependencies (please report those to their maintainers), volumetric denial-of-service, social engineering of NDEVR staff or users, physical attacks, and findings that require an already-compromised device or a privileged local position.
5. Bug bounty
We don't currently offer monetary rewards, but we recognize good-faith researchers publicly with credit in our security advisories.