NovaBuilder is a self-hosted, open-source application framework.

Security updates and fixes are provided only for the current release branch.

We take security vulnerabilities seriously.

If you discover a security issue in NovaBuilder, please follow responsible disclosure practices:

1. Do not open a public GitHub issue
2. Report the issue via email to: security@novabuilder.com
3. Include, where possible:
   • A clear description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested mitigation or fix (optional)

While timelines may vary depending on severity and complexity, we aim for:

• Initial acknowledgement within 48 hours
• Status update within 7 days
• Resolution as soon as reasonably possible

We appreciate responsible disclosure and ask that you allow us reasonable time to investigate and address reported issues before any public disclosure.

When deploying NovaBuilder in a production environment, we strongly recommend:

• Keeping all dependencies up to date
• Generating a strong application key (php artisan key:generate)
• Using HTTPS in production
• Securing session, cookie, and authentication settings
• Protecting and reviewing environment configuration (.env)
• Applying strict access control and permission rules
• Monitoring logs and system activity regularly

NovaBuilder is a self-hosted system.

Operators are responsible for:

• Server and infrastructure security
• Database security
• Network configuration and firewalls
• Regular backups and recovery plans
• Access control and user management
• Monitoring, incident response, and compliance obligations

Security-related updates are published as part of regular releases.

Always review changelogs and test updates in a staging environment before applying them to production systems.

NovaBuilder is provided "as is", without warranty of any kind.

Security guidance and best practices described in this document do not constitute a guarantee of protection and do not replace proper security reviews or operational responsibility.