The Autonomous Polymorphic Agent (APA) project takes security seriously. We are committed to maintaining a secure and trustworthy platform for all users.
If you discover a security issue, do not open a public issue. Instead:
-
Email the security team at
founder@nbr.companywith:- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity assessment
- Any proof-of-concept code or demonstrations
-
Response timeline:
- Initial response within 72 hours
- Regular updates every 5 business days
- Target resolution within 30 days for critical issues
-
Coordinated disclosure:
- We will work with you to verify and remediate the issue
- Public disclosure coordinated after fix deployment
- Credit provided to reporters who wish acknowledgment
- Regular static analysis using CodeQL and govulncheck
- Dependency vulnerability scanning
- Security-focused code reviews for sensitive changes
- Automated security testing in CI/CD pipeline
- End-to-end encryption for all communications
- Secure authentication and authorization
- Regular security audits and penetration testing
- Automated security updates for dependencies
- Signed releases and checksum verification
- SBOM (Software Bill of Materials) generation
- Dependency provenance tracking
- Regular dependency updates and audits
Security fixes are provided for:
- Latest stable release (actively maintained)
- Previous major version (security fixes only)
- Main branch (bleeding edge, latest security patches)
Please ensure you are using a supported version before reporting issues.
We maintain transparency around our security posture:
- Monthly security audit reports
- Dependency vulnerability statistics
- Incident response metrics
- Security testing coverage reports
We gratefully acknowledge security researchers who help improve APA's security:
- Coordinated vulnerability disclosure participants
- Security audit contributors
- Community members who report security issues responsibly
For security-related inquiries:
- Email: founder@nbr.company
- PGP Key: Available upon request
- Response Time: Within 72 hours for critical issues