Security reports need a private path. If you think you found a vulnerability in Nora, do not open a public GitHub issue, discussion, or pull request.
Nora is still evolving quickly. Security fixes are prioritized for the latest public code on the default repository branch and any current deployment guidance reflected in the root docs.
Older snapshots, stale forks, and heavily modified self-hosted deployments may require you to rebase or upgrade before a fix can be applied cleanly.
Report vulnerabilities privately to the repository maintainer through GitHub, currently @solomon2773.
When possible, include:
- a short description of the issue
- the affected component or path
- reproduction steps or a proof of concept
- impact assessment
- any suggested mitigation
- whether the issue is already known to anyone else
If GitHub private vulnerability reporting is available for the repository, prefer that path. Otherwise, contact the maintainer privately through GitHub rather than posting in a public thread.
- Do not post exploit details in public issues or discussions.
- Do not include secrets, production credentials, API keys, or private customer data in a report.
- Do not run destructive testing against infrastructure you do not own or have explicit permission to test.
The goal is to:
- acknowledge a credible report promptly
- reproduce and assess severity
- develop and validate a fix or mitigation
- coordinate disclosure after affected users have a reasonable path to update
Response times are best-effort and may vary depending on report quality, impact, and maintainer availability.
Please give maintainers a reasonable window to investigate and ship a fix before public disclosure. Coordinated disclosure improves the odds that self-hosted operators can patch safely.
This policy covers vulnerabilities in the public Nora repository, including:
- the web surfaces
- the backend API
- provisioning workers
- runtime integration code
- public install and deployment scripts
- documentation that could lead to unsafe deployment defaults
If an issue only affects your own infrastructure, custom integrations, or modified deployment topology, the maintainer may still help narrow it down, but remediation may remain your responsibility.