Security policy

We treat security reports against any nar0 surface as a high priority. Acknowledged within 3 business days; high-severity fixes shipped within 14 days.

How to report

Scope

In scope:

Out of scope:

Coordinated disclosure

Please give us a reasonable window before going public. We will publish a CVE / advisory within 30 days of a fix landing. We are happy to credit reporters by name and link in the acknowledgments below; let us know your preference.

Acknowledgments

None yet. Be the first.

security.txt

The machine-readable contact directives live at /.well-known/security.txt.