If you discover a security vulnerability in Nerviq, please report it responsibly.

Email: security@nerviq.net

Please include:

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Impact assessment (if known)

Do not open a public GitHub issue for security vulnerabilities.

Only the latest patch release of each supported major.minor line receives security updates.

• Zero runtime dependencies. Nerviq ships with no production node_modules — only Node.js (>=18) is required.
• devDependencies audited monthly using npm audit and reviewed for known CVEs.
• SBOM published with every release (sbom.cdx.json) in CycloneDX format for full dependency transparency.
• Lockfile integrity checked in CI to prevent supply-chain tampering.

• All operations run locally — no data is sent to external servers by default.
• The nerviq serve command binds to localhost only (127.0.0.1), never to 0.0.0.0.
• deep-review (opt-in) redacts secrets and credentials before sending config snippets to any AI provider.
• No secrets, tokens, or API keys are stored by Nerviq.

If a Nerviq audit check produces a false positive (flags something that is not actually a problem):

1. Run nerviq audit --verbose to identify the exact check key (e.g., permissionDeny).
2. Open a GitHub issue with:
   • The check key
   • Your project structure (relevant files only)
   • Why you believe it is a false positive
3. Alternatively, use nerviq feedback --key <checkKey> --status rejected --effect neutral --notes "false positive: <reason>" to record it locally.

False positive reports help us improve check accuracy for all users.

We gratefully acknowledge security researchers who responsibly disclose vulnerabilities. With your permission, we will list you in our security acknowledgments.