Skip to content

Security: namoidhq/namoid-status

Security

SECURITY.md

Security policy

This repository is part of NamoID — an identity provider, so we take security seriously even in our client libraries and examples. If you've found a vulnerability, please report it privately so we can fix it before it gets exploited.

Reporting a vulnerability

Email: hello@namoid.in

Please do not open a public GitHub issue for security reports.

Include:

  • A clear description of the issue and where you found it (repo, file + line, package version, or a URL if it's a hosted surface).
  • Reproduction steps — the minimum required for us to trigger it.
  • Impact assessment: who is affected, what data is exposed, what capability is gained.
  • Optional: a suggested fix.

We'll acknowledge within 48 hours and give a triage decision within 5 business days. We'll credit you in the release notes if you'd like — anonymous reports are welcome too.

Scope

This repo is an Upptime-powered status page and configuration repo. The most relevant findings here are things like:

  • Secret handling issues in GitHub Actions/workflows (token leakage, unsafe logging).
  • Misconfigurations that could expose internal endpoints or sensitive metadata.
  • Dependency vulnerabilities that affect the generated status site or checks.

Findings against the NamoID hosted service itself (*.id.namoid.in, api.namoid.in) are also welcome — email the same address with the details above.

Safe harbor

If you act in good faith — no data exfiltration beyond proof-of-concept, no service disruption, no targeting of other people's accounts, and you give us time to fix before disclosing — we won't pursue legal action against you.

There aren't any published security advisories