Security policy
We treat security reports against any nar0 surface as a high priority. Acknowledged within 3 business days; high-severity fixes shipped within 14 days.
How to report
- nar0.com server (DNS, /v1/lh/*, web): email abuse@nar0.com. PGP key available on request.
Scope
In scope:
- Authoritative DNS server for nar0.com.
- The nar0.com marketing site.
Out of scope:
- Issues that require a privileged position on the developer's own LAN to exploit (the threat model assumes a trusted local network for <ip>.<sub>.lh.nar0.com).
- Open redirects against staging/test infrastructure or non-production subdomains.
- Self-XSS that requires the user to paste into devtools.
Coordinated disclosure
Please give us a reasonable window before going public. We will publish a CVE / advisory within 30 days of a fix landing. We are happy to credit reporters by name and link in the acknowledgments below; let us know your preference.
Acknowledgments
None yet. Be the first.
security.txt
The machine-readable contact directives live at /.well-known/security.txt.