Security Policy
Responsible disclosure policy for nSelf and related services.
Scope
The following assets are in scope for security reports:
- nSelf CLI (nself-org/cli)
- nSelf plugins (nself-org/plugins, nself-org/plugins-pro)
- nself.org and all subdomains (*.nself.org)
- Docker images published under nself/
Out of scope
- Third-party dependencies (report upstream)
- Social engineering attacks
- Denial of service attacks
- Issues in self-hosted instances caused by user misconfiguration
Rules
- Do not access or modify other users' data
- Do not disrupt services or degrade performance
- Do not publicly disclose before we have fixed the issue
- Provide enough detail for us to reproduce the issue
Safe Harbor
If you follow this policy in good faith, we will not pursue legal action against you. We consider security research conducted under this policy to be authorized and will not file complaints with law enforcement.
Response SLAs
| Severity | Acknowledgement | Initial assessment | Fix target |
|---|---|---|---|
| Critical | 48 hours | 5 days | 7 days |
| High | 48 hours | 5 days | 30 days |
| Medium | 48 hours | 5 days | 90 days |
| Low | 48 hours | 10 days | Best effort |
Public disclosure
We coordinate public disclosure 90 days after the fix is released. We will credit you in the security advisory unless you prefer to remain anonymous.
Recognition
We maintain a Hall of Fame for security researchers who report valid vulnerabilities. Monetary bounties via HackerOne are planned within 12 months.
Contact
Email: security@nself.org
Report form: nself.org/security/report