At Nirvati.org, we take security seriously. We believe in the power of community and appreciate the invaluable contributions from the security community in fortifying our Free and Open Source Software (FOSS) operating system. We’re not just about securing Nirvati; we’re also committed to enhancing the broader app ecosystem and tools we use.
In the past, we have found and reported vulnerabilities in various projects such as Alby (These issues), Lnbits, and GitHub.
If you found a vulnerability in Nirvati, any software we developed or an existing open-source app on Nirvati where you’re not sure who to contact,t
How to Report a Vulnerability
If you believe you’ve found a security vulnerability in the Nirvati ecosystem, we encourage you to report it to us. To report a vulnerability, please follow these steps:
A clear and concise description of the vulnerability.
Information on the affected component or feature.
Steps to reproduce the vulnerability, if possible.
Any potential impact or exploitation scenarios.
Your contact information for further communication.
Step 2: Secure Communication
If the vulnerability you’re reporting is sensitive, and you believe it requires a secure channel of communication, please request encryption. You can use PGP/GPG to encrypt your communication. We’ll provide our public key for this purpose upon request.
Step 3: Response
We take every report seriously and will make our best effort to acknowledge your report within 72 hours. We will review your report and assess the severity and impact of the vulnerability.
Step 4: Resolution
Once the vulnerability is confirmed, we will prioritize and work on a resolution. We appreciate your patience as we address the issue, and we will keep you informed of our progress.
Step 5: Public Disclosure
We believe in responsible disclosure. As an open source project, all of our code changes are inherently public. However, we ask you to refrain from posting proof-of-concepts or descriptions of vulnerabilities until we can confidently say most users received the update.
We will handle your report with the utmost confidentiality.
We will not take legal action against security researchers acting in good faith.
We will acknowledge your contribution to improving the Nirvati ecosystem security.
We will make every effort to resolve the issue promptly and keep you informed.
As an open source project that relies on donations, we can not offer a bug bounty program where you receive payment for reported vulnerabilities. We may still decide to offer you a reward if we’re able to do so depending on the severity of the vulnerability and the quality of your report.
Hall of Fame
We appreciate the effort of security researchers who help make the Nirvati ecosystem more secure. To honor these contributions, we maintain a “Hall of Fame” to publicly recognize those who report significant vulnerabilities.
If you have any questions or need further assistance, please feel free to reach out to us: