Security

How to report a vulnerability

Send details to nacosof@gmail.com.

• Describe the impact and affected components/endpoints.
• Include steps to reproduce (without causing harm or data loss).
• Proof-of-concept only if safe and responsible.
• Do not publish details publicly before coordination and remediation.
• Do not intentionally bypass access controls beyond what is necessary to prove the issue.

Questions

If you are unsure whether your report fits responsible disclosure, just email us.

Timing expectations

• We will try to respond within 48 hours after receiving your report.
• Public disclosure is usually coordinated after a fix or mitigation is available.
• If immediate remediation is not possible, we will coordinate a reasonable timeline.

What we do not ask for

• Do not attack the service (DDoS, data corruption, destructive actions).
• Do not request access to private data beyond what is necessary.
• Do not run automated scans without a responsible goal.

Safe harbor (no retaliation)

If you report issues in good faith and in accordance with this policy without causing harm, we will not take action against you solely for making the report. We may ask you for clarification or to limit actions until remediation is available.