Security Policy

Version 1, effective June 7, 2026

This Security Policy explains how to report security vulnerabilities in NobGit, what testing is allowed, and what testing is not allowed. It is meant to make good-faith security reporting possible without putting users, private repositories, infrastructure, or service availability at risk.

1. Reporting a Vulnerability

If you believe you have found a security vulnerability in NobGit, report it as soon as possible to: security@nobgit.com .

If the issue involves abuse, phishing, malware, copyright abuse, exposed credentials, illegal content, or harmful content hosted on NobGit, use: https://abuse.nobgit.com .

For general account or support issues, contact: support@nobgit.com .

2. Scope

This policy applies to security reports involving NobGit-controlled services, including:

• The NobGit web application and authenticated account areas.
• Git over HTTP and Git over SSH endpoints.
• Repository access controls, private repository visibility, raw file access, commits, issues, wiki pages, merge requests, and fork requests.
• Authentication, signup, email verification, password login, passkeys, OTP, sessions, SSH keys, GPG keys, personal access tokens, OAuth, and MCP authorization.
• Public NobGit policy pages and the NobGit abuse reporting worker where the issue affects NobGit security or user data.

Third-party services, providers, browsers, operating systems, mail clients, and user devices are outside NobGit's scope unless the issue is caused by NobGit's configuration or code.

3. What to Include in a Report

A useful report should include enough information to understand, reproduce, and fix the issue:

• A clear description of the vulnerability.
• The affected URL, endpoint, repository, account area, or feature.
• Steps to reproduce the issue using your own account or authorized test data.
• The expected result and the actual result.
• Impact, including whether private data, tokens, credentials, repositories, or account actions are affected.
• Proof-of-concept code, screenshots, logs, or request examples, if safe to share.
• Your contact information, if you want NobGit to follow up.

Do not include passwords, private keys, access tokens, session cookies, private repository contents, or sensitive data from other users unless strictly necessary to prove the issue. If you accidentally access private data, stop testing and report the issue immediately.

4. Allowed Testing

NobGit allows responsible, good-faith security testing when it is limited, non-destructive, lawful, and does not harm users, data, systems, or service availability.

Allowed testing includes:

• Testing your own NobGit account.
• Testing repositories, organizations, issues, wiki pages, keys, tokens, OAuth clients, and MCP access that you own or control.
• Testing access-control behavior without accessing or changing other users' data.
• Testing authentication and session behavior using your own account.
• Testing common web vulnerabilities, such as cross-site scripting, CSRF, open redirects, session issues, and authorization bugs, as long as testing stays safe and limited.
• Reporting accidentally discovered vulnerabilities without continuing to exploit them.

5. Testing That Is Not Allowed

The following testing is not allowed:

• Denial-of-service testing, load testing, stress testing, traffic flooding, or resource exhaustion.
• Accessing, copying, modifying, deleting, exporting, or exposing another user's private data.
• Attempting to take over accounts that you do not own.
• Testing against repositories, organizations, accounts, workers, infrastructure, providers, or services without permission.
• Uploading malware, ransomware, credential stealers, destructive scripts, exploit payloads, or harmful files.
• Phishing, social engineering, impersonation, or contacting NobGit users as part of testing.
• Spam, mass account creation, scraping, abusive automation, or rate-limit bypassing.
• Bypassing account restrictions, suspensions, access controls, or security controls in a harmful way.
• Physical attacks, attacks against NobGit staff, or attacks against third-party providers.
• Publicly disclosing a vulnerability before NobGit has had a reasonable chance to investigate and fix it.

6. Responsible Disclosure

Researchers should:

• Report vulnerabilities privately.
• Give NobGit a reasonable amount of time to investigate and fix the issue.
• Avoid accessing, downloading, changing, or exposing data that does not belong to you.
• Stop testing immediately if you discover private data, service instability, or unintended access.
• Act in good faith and avoid harming NobGit, users, providers, or third parties.

Testing that follows this policy, stays within authorized areas, and is reported responsibly will generally be treated as good-faith security research. This is not permission to break the law or access data you are not allowed to access.

7. Out-of-Scope Reports

Some reports may not be treated as vulnerabilities unless they create a clear, realistic security risk. Examples include:

• Missing security headers without a working exploit or meaningful impact.
• Clickjacking on pages that do not expose sensitive actions or data.
• Reports based only on software version numbers without proof of exploitability.
• Self-XSS that requires a user to attack their own account.
• Rate-limit concerns without a practical abuse scenario.
• Username, email, or repository enumeration unless it exposes private data or enables abuse.
• Social engineering reports that do not involve a technical NobGit vulnerability.
• Email spoofing reports without proof that NobGit mail configuration is misconfigured.

8. No Bug Bounty Promise

NobGit does not currently operate a paid bug bounty program. Submitting a report does not create a right to payment, reward, employment, public credit, or other compensation.

NobGit may choose to acknowledge helpful reports, but this is at NobGit's discretion.

9. Enforcement

NobGit may suspend accounts, block access, remove content, revoke credentials, preserve evidence, or take other action if security testing violates this policy, harms the service, risks user data, violates the Acceptable Use Policy, or breaks the law.

10. Contact Summary

• Security vulnerabilities: security@nobgit.com
• Abuse, malware, phishing, copyright, leaked credentials, illegal content, or harmful content: https://abuse.nobgit.com
• Abuse email fallback: abuse@nobgit.com
• General support: support@nobgit.com