Responsible Disclosure Policy
Last updated: April 14, 2026
In scope
- All
*.nself.orgsubdomains - nSelf CLI binary integrity (nself-org/cli)
- Published plugins (nself-org/plugins, nself-org/plugins-pro)
- Homebrew tap (nself-org/homebrew-nself)
- Docker images published under
nself/
Out of scope
- Self-hosted user instances (user-managed infrastructure)
- Rate-limit findings without demonstrated impact
- Denial of service requiring more than 100 RPS
- Social engineering (phishing, vishing, physical)
- Third-party dependencies (report upstream first)
Safe harbor
If you follow this policy in good faith, nSelf will not pursue legal action against you. We consider security research conducted under this policy to be authorized conduct and will not file complaints with law enforcement. If legal action is initiated by a third party against you for activities conducted under this policy, we will make this authorization known.
Rules of engagement
- Do not access or modify other users' data
- Do not disrupt services or degrade performance
- Do not exfiltrate data beyond what is necessary to demonstrate the issue
- Provide enough detail for us to reproduce the vulnerability
- Do not publicly disclose until the coordinated disclosure timeline expires
Response SLAs
| Stage | Target |
|---|---|
| Acknowledgement | Within 72 hours |
| Triage and severity assignment | Within 7 days |
| Fix or roadmap (Critical/High) | Within 90 days |
Coordinated disclosure
The default coordinated disclosure window is 90 days from the date we confirm the report. We will credit you in the security advisory and on our Hall of Fame unless you prefer to remain anonymous.
Bounty program
We run a bounty program through HackerOne. Initial scope covers ping.nself.org, api.nself.org, and the CLI binary.
| Severity | Reward |
|---|---|
| Critical | $2,500 |
| High | $1,000 |
| Medium | $300 |
| Low | $50 |
Contact
Email: security@nself.org
Report form: nself.org/security/report
PGP key: nself.org/.well-known/pgp-key.txt