Tell us, in confidence,
what you found.

The following surfaces are in scope for coordinated disclosure:

• This website (namidb.com) and any subdomain we operate.
• The NamiDB engine code in the public repository.
• Any private-beta cloud namespace assigned to your team — within your namespace only.

• Findings that require physical access to our hardware.
• Social-engineering attempts against teammates, partners, or contractors — we do not consider these meaningful tests of the system.
• Best-practice nudges with no demonstrable impact (e.g. missing CSP headers on this static site).
• Anything that requires denial-of-service against shared infrastructure.

• We respond within one business day.
• We will not pursue or threaten action against good-faith research within the scope above.
• The engine source is published under BSL 1.1 — you can audit the security properties of the code yourself before depending on it.
• When a fix lands, the postmortem is published in /research within seven days — with credit to you, unless you ask to stay anonymous.
• A public reward program will go live when the engine enters public beta. Until then, we offer thanks, swag, and a named place in the postmortem.

• All production secrets are stored in a dedicated vault. No long-lived shared credentials.
• Dependencies are pinned and scanned. Every release notes the dependency tree it was built against.
• Backups of waitlist data are encrypted at rest and tested for restore on a monthly cadence.
• The engine's storage layer uses authenticated writes against object storage — no shared keys, no long-lived ones.