security@nerviq.net
Primary reporting path
Email security@nerviq.net with the subject SECURITY.
If the alias is temporarily unavailable, the repository policy currently also lists business@nerviq.net as a fallback.
Legal / Security
How to report security issues to Nerviq.
This draft security page is a public-facing summary of vulnerability reporting, supported versions, and response expectations. The repository-level SECURITY.md remains the more detailed operational source of truth.
Draft copy72-hour acknowledgement targetsecurity.txt published
Draft — pending legal review
Not yet authoritative. Contact hello@nerviq.net for questions.
Private disclosure first
Please do not open a public GitHub issue for an unpatched vulnerability. The first step should be a private report.
Helpful report contents
What to include
- affected product or surface
- affected version if known
- reproduction steps
- impact assessment if known
- logs, screenshots, or safe proof-of-concept details
Response expectations
The public page should stay simple: we will acknowledge credible reports quickly, then the repository policy carries the more detailed severity table.
Draft target
Public commitment
Initial acknowledgement within 72 hours.
Critical and high-severity issues follow the tighter timelines published in SECURITY.md.
No bug bounty is offered today, but responsible disclosure is welcome and reviewed.
| Severity | Response | Fix target |
|---|---|---|
| Critical | < 24 hours | < 48 hours |
| High | < 48 hours | < 7 days |
| Medium | < 7 days | < 30 days |
| Low | < 14 days | Next release |
Supported versions
The supported-version list below is taken directly from the current CLI repository security policy.
| Version line | Supported |
|---|---|
| 1.28.x | Yes |
| 1.27.x | Yes |
| 1.26.x | Yes |
| 1.25.x | Yes |
| < 1.25 | No |
Only the latest patch release of each supported major.minor line should be treated as eligible for security updates.
Current scope and posture
This page should describe what exists today, not imply a hosted enterprise control plane that is not yet public.
Included now
Current public scope
- the
@nerviq/clipackage - public GitHub workflows and release automation surfaces
- the Nerviq website and its lead-capture flow
From repo policy
Technical posture
- CLI operations are local by default
nerviq servebinds to localhost only- SBOM generation exists in the release posture
- npm provenance and release hygiene are part of the intended release flow
Disclosure workflow and safe-harbor stance
The public page should promise a responsible disclosure path without overselling guarantees that the team has not formally adopted.
Draft process
Coordinated disclosure flow
- acknowledge receipt
- triage severity
- reproduce on a supported version
- develop and test a fix
- publish the fix and notify the reporter
- document the change in release notes when appropriate
No bug bounty yet
Researcher expectations
There is no formal bug bounty program today.
We still welcome good-faith reports that avoid privacy violations, service disruption, destructive exploitation, or data exfiltration.
A formal safe-harbor clause should still receive legal review before it is treated as authoritative.
security.txt and contact surfaces
The website now publishes a machine-readable security contact file for scanners and researchers.
Published at /.well-known/security.txt.
- Contact:
mailto:security@nerviq.net - Preferred language:
en - Canonical location:
https://www.nerviq.net/.well-known/security.txt