Nimbus is built with security in mind. We take security vulnerabilities seriously and appreciate responsible disclosure.

We recommend always using the most recent version of Nimbus.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests, as this would result in immediate public disclosure.

Instead, please use one of the following channels:

1. GitHub Private Vulnerability Reporting: Use the security advisory form to report the vulnerability directly on GitHub.

2. Email: Send details to [email protected].

In your report, please include as much of the following as possible:

• A description of the vulnerability
• Steps to reproduce or a proof of concept
• The potential impact
• Any suggested fix, if applicable

1. Acknowledgement: We will acknowledge receipt of your report as soon as possible. Usually within 5 business days.
2. Assessment: Our team will investigate and assess the reported vulnerability.
3. Resolution: Fixes will be developed in a private environment to prevent premature disclosure.
4. Notification: Once a fix is available, we will publish a GitHub Security Advisory and release a patched version.
5. Credit: We are happy to credit reporters in the security advisory, unless you prefer to remain anonymous (let us know).