Security Policy
Responsible Disclosure
Reporting Security Vulnerabilities
We take security seriously. If you discover a security vulnerability in NanoGuard, we appreciate your help in disclosing it to us responsibly.
What to Report
Please report any security issues including:
- Vulnerabilities in NanoGuard CLI code
- Bypass techniques for scanner detection rules
- Weaknesses in YARA or Semgrep rule coverage
- Issues with CVE database or version detection
- Privilege escalation or sandbox escape in the tool itself
- Any other security-relevant bugs
What NOT to Report Here
⚠️ DO NOT open public GitHub issues for vulnerabilities
Public disclosure before a fix is available puts users at risk. Please use the private security email address above.
Our Commitment
When you report a vulnerability:
- We will acknowledge receipt within 48 hours
- We will provide a timeline for a fix within 7 days
- We will keep you updated on our progress
- We will credit you in release notes (unless you prefer to remain anonymous)
- We will not pursue legal action against good-faith security researchers
Coordinated Disclosure
We prefer coordinated disclosure:
- Report the vulnerability privately to security@nanosec.ai
- Allow us reasonable time to develop and release a fix
- Coordinate timing for public disclosure
We aim to release security patches within 30 days for critical issues, 90 days for moderate issues. We will work with you to determine appropriate disclosure timing.
PGP Key
# PGP key for encrypted communication (coming soon)
# For now, please use plaintext email to security@nanosec.ai
Scope
This policy applies to:
- NanoGuard CLI — the Python scanner (github.com/nanosec-ai/nanoguard)
- NanoGuard.app — this website
- Official releases — PyPI packages under the "nanoguard" name
Thank You
Security researchers and responsible disclosures make open-source security tools better. We appreciate your partnership in keeping the AI agent ecosystem safer.