Security & Vulnerability Disclosure Policy

Version 2026-05-15.0 | Last Updated: May 15, 2026 (UTC)

How to Report

Submit suspected vulnerabilities via email to [email protected]. Include reproduction steps, impact, affected endpoints, and any logs or proofs of concept. Please avoid sensitive data in attachments.

If your report involves distribution, licensing, or paid-build behavior, specify whether the issue relates to the NekoByte client or the Steam-distributed build.

Scope (In-Scope Targets)

• NekoByte desktop client (installation, IPC, feature modules)
• NekoByte web properties and administrative infrastructure
• Assets distributed via official Steam or website channels

Out of Scope

• Social engineering, phishing, or physical attacks
• Denial of service testing
• Third-party optional SDK issues except for integration misconfigurations we control
• Findings requiring rooted or jailbroken devices or unsupported OS modifications
• Spam, spoofed emails, or reports without a security impact

Expectations & Response Targets

• Acknowledgement within 3 business days.
• Initial triage and severity assessment within 7-10 business days.
• Status updates provided after triage and at key remediation milestones.

Safe Harbor

If you follow this policy, act in good faith, avoid privacy violations, and do not exploit data beyond what is necessary to demonstrate the issue, we will not pursue or support legal action related to your research. Please give us reasonable time to remediate before public disclosure.

Emergency Contact

For actively exploited vulnerabilities, flag your report as "URGENT" in the subject line of your email to [email protected]. We prioritize real-time threats to installers or user data protection.

Changes

We may update this policy as our infrastructure, release process, or reporting procedures change.