Report security vulnerabilities privately — do not open a public issue.

Contact: open a GitHub Security Advisory

Include:

• A clear description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

You will receive an acknowledgement within 48 hours. Critical vulnerabilities are patched within 7 days.

In-scope:

• Remote code execution via crafted source plugin or API response
• Credential leakage from the vault or apikeys.json
• OPSEC bypass (real IP exposure when proxy/Tor is configured)
• Dependency vulnerabilities with a direct exploit path

Out of scope:

• Issues requiring physical access to the machine
• Social engineering
• Vulnerabilities in third-party APIs queried by NOX