Reporting a vulnerability
Found a security issue in Nazm? Tell us privately and we'll fix it. This page is the policy referenced by our security.txt.
How to report
Email [email protected] with the subject line Nazm security report. Please include:
- What the issue is and where you found it — a URL, endpoint, or screen.
- Steps to reproduce it. A short proof of concept helps enormously.
- What you believe the impact is.
Report privately, and give us a reasonable chance to ship a fix before sharing the details publicly.
What to expect from us
- We'll acknowledge your report within 3 business days.
- We'll keep you posted as we investigate, and tell you when it's fixed.
- If you'd like, we'll credit you once the fix ships.
Safe harbour
We won't pursue or support legal action against anyone who reports a vulnerability in good faith, follows this policy, and avoids privacy violations, data destruction, or service disruption while researching. Acting in good faith within the scope below, you have our authorisation to test.
Scope
In scope: the Nazm web app and its API.
Out of scope:
- Our infrastructure providers — DigitalOcean, Cloudflare, and Vercel — which have their own disclosure programmes. Report those to them directly.
- Denial-of-service, volumetric, or load-testing attacks.
- Social engineering of our team or our users, and physical attacks.
- Automated-scanner output with no demonstrated, exploitable impact.
Please don't
- Access, modify, or delete data that isn't yours — test with your own account.
- Degrade the service for other people.
- Disclose the issue publicly before we've had a chance to fix it.
No bug bounty (yet)
Nazm is an indie project in public alpha, so we can't offer cash rewards. What we can offer is a fast, respectful response, a real fix, and public credit if you want it.
Contact
Security reports and questions go to [email protected]. A real person will reply.