If you find a security issue in Nipcode. Hosted API, CLI, trust scoring, install-plan logic, or Supabase data path. Please report it privately first.
Email: info@nipcode.xyz with subject SECURITY.
Please do not open a public GitHub issue for security reports. We will acknowledge within 72 hours.
When reporting include:
- Affected surface (hosted API path, CLI command, Supabase table, etc.)
- Reproduction steps
- Impact assessment (what could a bad actor do?)
- Optional: proposed fix
In scope:
- Authentication and session management (
/api/auth*,/api/sign-out) - API key generation, scoping and revocation
- Trust scoring and install-plan boundaries
- Supabase RLS / schema (read/write/escalation)
- DNS, TLS, and Vercel deployment surface
Out of scope:
- Third-party source registries (npm, PyPI, etc.). Please report to the source maintainers directly
- Social engineering and physical security
- DOS that does not bypass our existing rate limits
- We will respond within 72 hours.
- We will keep you informed of progress.
- We will credit reporters in release notes unless they prefer to stay anonymous.
- We will not pursue legal action against good-faith research that follows this policy.
- Hosted API is read-only. Any change that allows the hosted API to install, clone, extract, download, or write to a caller workspace is rejected on review.
- Package metadata (READMEs, model cards, MCP descriptions) is treated as untrusted data. It must not be passed as instructions to a language model without quoting/escaping context.
- Trust scores must trace back to source-owned evidence. No fabricated numbers.
- API keys are scoped per-account. They live in Supabase with RLS; the server-side admin path is the only writer.