NIRMINI DEVELOPMENT — RESPONSIBLE DISCLOSURE POLICY Revision 1 | Written by Katt on March 19th, 2026. ----------------------------------------------------------------------- OVERVIEW ----------------------------------------------------------------------- Nirmini Development is committed to working with security researchers in good faith. We ask that all researchers follow this responsible disclosure policy when reporting vulnerabilities to us. ----------------------------------------------------------------------- OUR COMMITMENTS TO YOU ----------------------------------------------------------------------- - We will acknowledge your report promptly. - We will investigate and respond with our assessment. - We will keep you informed of our progress toward a fix. - We will credit you publicly when the issue is disclosed, unless you prefer to remain anonymous. - We will not pursue legal action against researchers who act in good faith and within the scope of this policy. ----------------------------------------------------------------------- YOUR COMMITMENTS TO US ----------------------------------------------------------------------- - Report vulnerabilities privately via the contact methods listed in security.txt before any public disclosure. - Give us 90 days from the date of your initial report to develop and deploy a fix before disclosing publicly. - Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability. - Do not perform denial-of-service attacks. - Do not conduct social engineering against our team or users. - Do not test out-of-scope systems (see rd-scopes.txt). ----------------------------------------------------------------------- DISCLOSURE TIMELINE ----------------------------------------------------------------------- We follow a 90-day disclosure window, consistent with Google's Project Zero policy. Day 0 — You report the vulnerability to us privately. Day 1-7 — We acknowledge receipt and begin investigation. Day 1-90 — We work on a fix and communicate progress with you. Day 90 — Public disclosure occurs, with or without a fix, unless an extension has been mutually agreed upon. Early — If a fix is deployed and users are migrated before Day 90, we may coordinate early disclosure with you. Extensions may be granted in exceptional circumstances (e.g., complex supply chain issues) at our discretion and with researcher agreement. ----------------------------------------------------------------------- CVE ASSIGNMENT ----------------------------------------------------------------------- If a vulnerability is likely to receive a CVE assignment, Nirmini will file the CVE ourselves. This will happen after: 1. A patch has been developed and deployed. 2. At least 30% of affected users have migrated to the patched version. 3. We have required all remaining users to update. The CVE will be published with full credit to the original reporter. We will not suppress or indefinitely delay the CVE. The above conditions exist solely to allow us to safely migrate our user base before details become public. If you believe a CVE is warranted and we have not filed one within a reasonable timeframe after the above conditions are met, please reach out via the contact methods in security.txt. ----------------------------------------------------------------------- SAFE HARBOR ----------------------------------------------------------------------- Nirmini considers security research conducted in accordance with this policy to be authorized and will not pursue civil or criminal action against researchers acting in good faith. We consider your research to be conducted in good faith if you: - Comply with the scope and rules in rd-scopes.txt. - Report vulnerabilities promptly and refrain from exploiting them. - Avoid privacy violations and disruption to our services. - Do not exfiltrate, manipulate, or destroy data. ----------------------------------------------------------------------- For contact details, see: https://nirmini.dev/.well-known/security.txt For scope details, see: https://nirmini.dev/.well-known/rd-scopes.txt