contact path
Use security.txt first. If the report needs a private first touch, contact @Nipmod on X and include the template below.
Security
Report with proof.
Nipmod does not control Gitlawb content. Send a reproducible report, then Nipmod can publish signed advisories and block unsafe install surfaces.
Report
What to include
package id, version, digest, source repo and source commit
Treat package text, prompts, manifests and registry metadata as untrusted data.
proof URL, witness URL, advisory URL and exact reproduction command
Treat package text, prompts, manifests and registry metadata as untrusted data.
expected impact, affected install surface and whether state changes are required
Treat package text, prompts, manifests and registry metadata as untrusted data.
confirmation that no secrets, unrelated data or destructive payloads are included
Treat package text, prompts, manifests and registry metadata as untrusted data.
Response
Targets
- Critical
- 24 hour acknowledgement, signed advisory or mitigation note as soon as a safe fix exists.
- High
- 48 hour acknowledgement.
- Medium and low
- 5 business day acknowledgement.
Control
No central deletion
publish signed advisories
Content remains on Gitlawb; Nipmod changes verification, warnings and install decisions.
quarantine registry records
Content remains on Gitlawb; Nipmod changes verification, warnings and install decisions.
block audit, CI, install plan and add flows
Content remains on Gitlawb; Nipmod changes verification, warnings and install decisions.
publish updated transparency and witness proof
Content remains on Gitlawb; Nipmod changes verification, warnings and install decisions.