Security policy

Last updated: 2026-06-03.

Reporting a vulnerability

Please disclose vulnerabilities privately to security@niso.online. We aim to acknowledge within 48 hours and ship a fix or mitigation within 14 days for critical issues.

Do not file public GitHub issues or post on social media until we've confirmed a coordinated disclosure window.

Scope

• niso.online — this website
• registry.niso.online — the package registry API
• The niso-cli, niso-registry and other niso crates
• The reference Linux runtime stack (systemd units, nftables rules)

Out of scope: third-party packages published by independent authors under their own namespaces. Report those to the author directly.

Supply-chain guarantees

• SHA-256 checksums. The registry computes the digest of every uploaded .niso package. The client verifies it on pull and aborts on mismatch.
• Reproducible install. Pulling a pinned version is deterministic — the same digest every time.
• Isolated runtime. Every package runs under a systemd unit with DynamicUser, dropped capabilities, seccomp filtering, and a private rootfs. See isolation docs.
• Signed releases (roadmap). Ed25519 signing of packages is supported by niso-pack; signature verification is enforced by the client when a public key is registered for the namespace.

Known limitations

• The registry does not currently run automatic vulnerability scanning on uploaded packages. Planned; see roadmap.
• Public packages are content-addressed; a delete removes the pointer but pulled artefacts on user hosts are not purged.

Bug bounty

We don't currently run a formal bug bounty programme, but verified critical reports will receive public credit (with your consent) and a small thank-you (swag, CVE coordination support).