Security Policy
We take security seriously. All security features in ɳSelf are free, default, and automatic — no paywall, ever.
Responsible Disclosure
If you discover a security vulnerability in ɳSelf, please report it privately. Do not open a public GitHub issue.
Report a vulnerability:
- Email: security@nself.org
- PGP key: pgp-key.txt
Response SLA
| Severity | Ack | Triage | Fix |
|---|---|---|---|
| Critical | 48 hours | 72 hours | 7 days |
| High | 48 hours | 7 days | 30 days |
| Medium / Low | 48 hours | 14 days | 90 days |
Scope
In scope
- ɳSelf CLI (nself-org/cli)
- Plugin system (free + paid)
- Backend services (Hasura, Auth, Nginx)
- Authentication and authorization
- API endpoints and GraphQL
- nself.org web apps
Out of scope
- Third-party dependencies (report upstream)
- Hosted infrastructure attacks on our servers
- Social engineering
- Physical access attacks
Safe Harbor
Security research conducted in good faith under this policy will not be subject to legal action. We ask that you: avoid accessing, modifying, or deleting user data; do not perform denial-of-service attacks; disclose to us before going public (90-day window).
CVE Assignment
We will request CVE assignment for vulnerabilities that meet the threshold. Reporters who identify a qualifying vulnerability will receive public credit in our hall of fame unless they prefer anonymity.
Bug Bounty
We do not currently run a paid bug bounty program. Valid reports receive public credit and our sincere thanks.
SBOMs
Software Bill of Materials (SBOM) files in CycloneDX format are attached to every GitHub release starting at v1.0.9. Each SBOM is signed with cosign.
Download: github.com/nself-org/cli/releases
Security is Always Free
All security and hardening features in ɳSelf are free, default, and automatic. No security feature is paywalled. This includes: row-level security, rate limiting, MFA throttle, SSRF guard, JWT key rotation, WAF basics, audit logs, encryption-at-rest, and automatic TLS.