NVIDIA is dedicated to the security and trust of its software products and services, including all source code repositories managed through our organization.
If you need to report a security issue, use the appropriate contact points outlined below. DO NOT report security vulnerabilities through public GitHub issues or pull requests. If a potential security issue is inadvertently reported through a public channel, NVIDIA maintainers may limit public discussion and redirect the reporter to the appropriate private disclosure channels.
Report a potential security vulnerability in NemoClaw or any NVIDIA product through one of the following channels.
Submit a report through the NVIDIA Vulnerability Disclosure Program. This is the preferred method for reporting security concerns across all NVIDIA products.
Send an encrypted email to psirt@nvidia.com. Use the NVIDIA public PGP key to encrypt the message.
You can use GitHub's private vulnerability reporting to submit a report directly on this repository. Navigate to the Security tab and select Report a vulnerability.
Provide as much of the following information as possible:
- Product name and version or branch that contains the vulnerability.
- Type of vulnerability (code execution, denial of service, buffer overflow, privilege escalation, etc.).
- Step-by-step instructions to reproduce the vulnerability.
- Proof-of-concept or exploit code.
- Potential impact, including how an attacker could exploit the vulnerability.
Detailed reports help NVIDIA evaluate and address issues faster.
NVIDIA's Product Security Incident Response Team (PSIRT) triages all incoming reports. After submission:
- NVIDIA acknowledges receipt and begins analysis.
- NVIDIA validates the report and determines severity.
- NVIDIA develops and tests corrective actions.
- NVIDIA publishes a security bulletin and releases a fix.
Visit the PSIRT Policies page for details on timelines and acknowledgement practices.
While NVIDIA does not currently have a public bug bounty program, we do offer acknowledgement when an externally reported security issue is addressed under our coordinated vulnerability disclosure policy.
For security bulletins, PSIRT policies, and all security-related concerns, visit the NVIDIA Product Security portal. Subscribe to notifications on that page to receive alerts when new bulletins are published.