Security & Responsible Disclosure

Nibras is built privacy-first: it collects no data, has no servers, and runs entirely on your device. Security is foundational. If you have found a vulnerability, we appreciate your help in disclosing it responsibly.

This page covers Nibras specifically. For the umbrella policy covering all KhassinX apps and infrastructure, see khassinx.com/security.

Reporting

Email: [email protected]
Machine-readable disclosure pointer: /.well-known/security.txt (RFC 9116)

Please include: a brief description, reproduction steps, the impact you observed, and any tooling you used.

Scope

• nibras.khassinx.com (this website)
• The Nibras iOS / iPadOS / macOS / watchOS app on the Apple App Store

Out of scope

• Third-party services (Apple App Store, Apple iCloud, Apple on-device models) — please report to Apple directly via security.apple.com
• Volumetric attacks (DDoS, brute force) — not vulnerabilities
• Reports generated solely by automated scanners without reproducible proof of impact
• Theoretical issues without a demonstrable attack path
• Email spoofing on subdomains where we explicitly publish SPF/DKIM/DMARC

Response targets

• Acknowledgement: within five business days
• Initial triage: within fourteen days
• Coordinated disclosure timeline: agreed case by case, typically ninety days for non-critical, expedited for critical

Safe harbor

We will not pursue legal action against researchers acting in good faith — investigating, reporting, and respecting our scope rules — who give us reasonable time to remediate before public disclosure.

Recognition

We do not currently offer a monetary bug bounty. We offer:

• Public acknowledgement on this page (with your consent, in the form you prefer)
• Direct communication with the engineering team handling the fix
• A formal credit in our release notes when the fix ships

Contact

Security disclosure: [email protected] (PGP key available on request)
General contact: [email protected]