Nausika is a connector that handles OAuth credentials, machine-to-machine API keys, and user-contributed data. We take security seriously and welcome reports from the community.
Email: security@nausika.app
Please do not open a public issue for security-sensitive reports.
In your report, include where possible:
- A description of the vulnerability and its impact
- Steps to reproduce, ideally with a minimal proof-of-concept
- The affected endpoint, tool, or repository
- Your environment (client, region, timestamp of the test)
- Whether you've disclosed this elsewhere
If you'd like to encrypt your report, request our PGP public key at the same address.
| Stage | Target |
|---|---|
| Acknowledgement | within 72 hours |
| Initial assessment | within 7 days |
| Status updates | weekly until resolved |
| Public credit | on request, after fix |
Nausika is run by a solo maintainer in public beta — there is no formal SLA, but every report is read and triaged personally.
In scope:
nausika.app(marketing site) andmcp.nausika.app(MCP endpoint)- Authentication, authorization, and session handling (OAuth 2.1 + M2M)
- Server-side handling of user data (boat profiles, favorites, ratings, routes, place proposals)
- Public MCP tools and their input validation
- Data exposed via API responses (privacy / minimization concerns are in scope)
Out of scope:
- Findings against third-party providers we depend on (Open-Meteo, NOAA, OpenStreetMap, Cloudflare R2, Resend, GitHub OAuth, Google OAuth) — please report to them directly
- Denial-of-service via traffic volume, distributed brute-force, or resource exhaustion at the network layer
- Social engineering of staff or users
- Issues requiring a rooted device, a malicious client extension, or physical access
- Theoretical attacks without a demonstrable security impact
- Reports generated by automated scanners with no manual validation
We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, data destruction, and service interruption
- Only interact with accounts they own or have explicit permission to test
- Give us a reasonable window to respond before any public disclosure
- Do not exploit a finding beyond what is necessary to demonstrate it
If in doubt, ask first — security@nausika.app.
When a report leads to a fix, we're happy to credit the reporter publicly (in the changelog and on the website) on request. There is no monetary bounty program at this time.