Coordinated Vulnerability Disclosure

Last updated: 2025-08-26

We welcome good-faith security reports. Our goals are user safety, timely remediation, and clear communication.

How to report

• Email: security@nlr.cx (preferred) or research@nlr.cx
• Optional: encrypt with our PGP key at /pgp.txt

What to include

• Affected product/app version and platform
• Technical description and minimal PoC (no exploitation of third-party systems)
• Impact assessment and suggested remediation (if known)
• Your preferred contact info for coordination

Safe harbor

If you (i) test only your own accounts/devices and avoid accessing third-party data, and (ii) avoid service disruption and comply with applicable laws, we will not pursue legal action and will consider your research authorized.

Timeline

• Acknowledge within 7 days
• Remediation plan within 30 days
• Public disclosure target: 90 days from acknowledgment (or sooner if exploitation in the wild occurs)

Recognition

With permission, we can acknowledge researchers in an advisory after remediation.

← Back to home