Back to Trust
Security

Security & vulnerability disclosure

We treat security reports as first-priority. This page is the authoritative source for how to reach the security team, what response time to expect, and what we ask of researchers in exchange.

Last reviewed

Report a vulnerability

Email security@nanopocket.ai with reproduction steps, affected URL or app version, and the impact you observed. If the report is sensitive, encrypt with our PGP key (see fingerprint below).

Plain-language reports in any language are welcome. We do not require a CVE template. We acknowledge every report within 72 hours and provide a status update within 7 days.

In scope

  • nanopocket.ai and its subdomains.
  • The Image FaceSwap Pro 2.0 and Video FaceSwap Pro online demos (Cloudflare tunnels).
  • The desktop applications: Nano FaceSwap, FaceSwap Pro, ImageEnh Pro, VideoEnhance, VideoGen, ImageEdit, FacialEdit, ImageTryon.
  • Account, license, and activation APIs (auth, license, activations).
  • Update channel and the signed-manifest update mechanism.

Out of scope

  • Volumetric DDoS or rate-limit testing without prior coordination.
  • Issues in third-party subprocessors (Stripe, Vercel, Supabase, Cloudflare, Google) — please report those to the respective vendor under their disclosure policy.
  • Physical security of demo GPU hosts.
  • Issues that require a malicious local OS / firmware compromise to be reachable.
  • Self-XSS, missing rate limits without proven impact, missing security headers without proof of exploit.
  • Phishing, social engineering, and password-reuse attacks against NanoPocket staff.

Coordinated disclosure timeline

  • Acknowledge: ≤ 72 hours after the report.
  • Validate: ≤ 7 days, with the impact assessment shared with the reporter.
  • Fix: 14–90 days depending on severity (CVSS-based). Critical issues are patched within 14 days; high within 30; medium within 60; low within 90.
  • Public disclosure: after a fix is shipped, on coordinated date with the reporter. We credit reporters by name (or handle) in the release notes unless they prefer anonymity.

Researcher safe harbor

Good-faith research conducted in accordance with this policy — meaning the researcher stops at proof of vulnerability, does not access or exfiltrate user data beyond what is needed to demonstrate impact, and reports promptly — will not be the basis of a legal action by NanoPocket. We treat researchers as colleagues, not threats.

Bug bounty status

NanoPocket does not currently operate a paid bug bounty programme. We may offer discretionary swag or a license credit on a case-by-case basis. We will publicly credit the reporter on this page and in the relevant release notes.

What we do internally

  • Code signing. Windows builds are Authenticode-signed; macOS builds are signed and notarised by Apple. Unsigned installers are not distributed.
  • Update channel. Updates are fetched over HTTPS with a signed manifest. Users can opt out of automatic updates.
  • License posture. Activation is bound to a hashed machine identifier; the raw machine ID never leaves the device.
  • Dependency posture. CI runs npm audit and a vulnerability scan (Trivy) on every pull request. Critical CVEs block the merge.
  • Secret hygiene. No secrets are committed to git; Vercel and Supabase manage runtime secrets. Codacy scans flag accidental commits.
  • Standards followed. OWASP ASVS Level 1 for the web application, OWASP MASVS for considerations on the desktop binary.

PGP key

Sensitive reports may be encrypted to security@nanopocket.ai. Request the current public key by emailing the address above with the subject line “PGP key request”; the key fingerprint and ASCII-armored block will be returned out-of-band. We rotate the key annually.

security.txt

We publish the RFC 9116 file at /.well-known/security.txt. Automated scanners (e.g. internetwide vuln-disclosure indexes) read this file without needing to crawl the marketing site. The file is signed-mirror to this page; both sources are authoritative.

Hall of fame

We publicly credit reporters here once a fix is shipped and the reporter consents.No credited reports yet — be the first.