Skip to main content

Security

Security Policy

NOMARK Pty Ltd  ·  Last updated: February 18, 2026

Reporting a vulnerability

If you discover a security vulnerability in Sigil, sigilsec.ai, or any NOMARK infrastructure, please report it to us directly before disclosing it publicly.

Email: security@sigilsec.ai

We aim to acknowledge reports within 48 hours.

Scope

In scope: The Sigil CLI (NOMARJ/sigil), sigilsec.ai, and any NOMARK-operated API endpoints.

Out of scope: Third-party packages that Sigil scans (report those to their respective maintainers), Vercel infrastructure, or Stripe billing infrastructure.

What to include

  • A clear description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any proof-of-concept code or screenshots
  • Your suggested fix, if you have one

Response timeline

AcknowledgementWithin 48 hours
Initial assessmentWithin 5 business days
Fix or mitigationDepends on severity — critical issues are prioritised
Public disclosureCoordinated with reporter after fix is deployed

Responsible disclosure

We ask that you give us reasonable time to investigate and fix the issue before public disclosure. We will not take legal action against researchers who report vulnerabilities in good faith and follow this policy.

A note on the CLI

The Sigil CLI is open source under Apache 2.0. You can audit the scanning logic directly at github.com/NOMARJ/sigil. The CLI performs no network calls in the open-source tier — there is no server to attack. Vulnerabilities in the CLI scanning logic (false negatives, bypass techniques) are in scope and valuable reports.

← Back to Home