Nora treats financial data with the highest level of sensitivity. Security updates and patches are provided for the current stable release and the immediate previous LTS (Long Term Support) version.

If you discover a security vulnerability within the Nora ecosystem, we ask that you do not report it publicly via GitHub Issues. Please follow our responsible disclosure process:

1. Where to report: Send a detailed email to info.20player11@seznam.cz. For enhanced security, we recommend encrypting your message using our PGP key (available in the contact section).
2. What to include: Provide a clear description of the vulnerability, steps to reproduce (PoC), and the potential impact on user data or system integrity.
3. Expectations: Our security team will acknowledge receipt of your report within 24 hours.
4. Process: We will provide status updates every 48 hours until the vulnerability is resolved. Once a fix is deployed, we will coordinate a public disclosure date with you.
5. Bounties: We operate a Bug Bounty program for legitimate reports of critical vulnerabilities (e.g., data leaks, authentication bypass).

By following this policy, we commit to not taking any legal action against the reporter, provided that no real user data was exploited or compromised during the discovery.