Security
Novaonda's development team is strongly committed to responsible reporting and disclosure of security-related issues. As such, we've developed a policy for handling security issues.
Reporting security issues
We generally accept bug reports via GitHub, but due to the sensitive nature of security issues, we ask that they not be publicly reported in this fashion.
Instead, if you believe you’ve found something in any of Novaonda’s products that has security implications, please email a description of the issue to security@novaondatechnologies.com.
Mail sent to that address reaches a subset of the development team, limiting the issue’s exposure.
Once you’ve submitted an issue via email, you should receive an acknowledgement from a member of the Novaonda development team within 48 hours. Depending on the action to be taken, you may receive further follow-up emails.
This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug as timely as possible; however, it’s important that we follow the release process above to ensure that the disclosure is handled consistently.
Report security issues
Send email to security@novaondatechnologies.com
To send an encrypted email, use this public key ID
A9F2 3B7C D5E8 14A6 9C02
7FDE 8A41 C6B3 0D8E 5F49
Disclosure
Our process for taking a security issue from private discussion to public disclosure involves multiple steps, and depends on which product has the issue.
If the API has an issue that does not affect client software, we will apply the relevant patches to the API, and deploy it.
If client libraries are affected, we will apply patches and release a new version to the relevant package managers (PyPI, Rubygems, etc).
Once the software is patched, we will post a public entry on the Novaonda blog, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).
Additionally, if we have reason to believe that an issue reported to us affects other frameworks or tools in the various ecosystems we use, we may privately contact and discuss those issues with the appropriate maintainers, and coordinate our own disclosure and resolution with theirs.
Explore our card infrastructure
No long term contracts, no crazy paperwork and no hidden fees.