NeverWrite is a desktop application for power users, and we take security reports seriously. If you believe you have found a vulnerability, please report it privately so we can investigate and coordinate a fix before details become public.
Please use GitHub's private vulnerability reporting flow:
- Open the Security tab for this repository.
- Click Report a vulnerability.
- Include a clear description of the issue and its potential impact.
- Include reproduction steps, proof-of-concept details, affected versions, logs, or screenshots when they help explain the issue.
Please do not report suspected vulnerabilities through public issues, discussions, pull requests, or social channels until we have reviewed the report and agreed on a disclosure path.
Helpful reports usually include:
- The affected platform and app version.
- Clear steps to reproduce the behavior.
- The expected and actual security impact.
- Any relevant files, configuration, sample payloads, or logs.
- Whether the issue is already public or known elsewhere.
This policy applies to the code, packaging, release artifacts, and project-maintained integrations in this repository.
For vulnerabilities in third-party dependencies, please report the issue to the upstream project first unless NeverWrite's use of that dependency introduces a separate vulnerability.
We will review private vulnerability reports as promptly as we can, ask follow-up questions when needed, and coordinate remediation and disclosure through GitHub Security Advisories when appropriate.
Thank you for helping keep NeverWrite and its users safe.