NyrA Swarm Little Buddy Security Policy Draft

Status: Draft for attorney review and release review

Last updated: 2026-05-31

Scope: NyrA Swarm Little Buddy desktop app only

Supported Versions

Do not publish a paid public release until a signed or trusted installer path, release notes, checksum policy, support inbox, and vulnerability intake process exist.

Security Contact

Security reports should go to nyrasupport@gmail.com after the user creates/confirms the inbox. Do not publish this address as a security contact until it is monitored.

Reports should include:

• App version.
• Windows version.
• Reproduction steps.
• Impact.
• Screenshots or logs with secrets removed.
• Whether the issue affects billing, license activation, consent, local memory, screen/camera capture, or computer control.

Do not send passwords, full card numbers, bank account numbers, raw API keys, full EIN/SSN, recovery codes, or unredacted private documents.

Vulnerability Testing Rules

Allowed after written approval:

• Local testing against your own installed copy.
• Static review of the app package.
• Reports for consent bypass, entitlement bypass, IPC exposure, local memory export/delete failure, high-impact action bypass, or insecure logging.

Not allowed without explicit written authorization:

• Attacking Stripe, OpenAI, Anthropic, Google, xAI, Cloudflare, Microsoft, email providers, or other third-party systems.
• Social engineering.
• Spam, phishing, malware, persistence, credential theft, or destructive testing.
• Public disclosure before NyrA has had a reasonable remediation period.
• Accessing or modifying another user's device, files, account, subscription, or data.

No bug bounty is promised unless a separate bounty program is published.

Implemented Security Controls

Current implemented controls include:

• Paid feature entitlement gates for API swarm chat, voice, realtime, screen capture, computer control, file/application control, and developer terminal.
• First-run and Settings consent gates for microphone, camera, screen, computer control, third-party AI, local memory, and passive context logs.
• Main-process NYRA_CONSENT_REQUIRED enforcement.
• Main-process NYRA_HIGH_IMPACT_APPROVAL_REQUIRED enforcement for payment, credential, account-changing, destructive, system-setting, installer/script, developer-terminal, and data-sharing risks.
• Restricted preload IPC bridge with invoke/send/listen allowlists, store-key validation, payload validation, unsafe URL blocking, and sanitized renderer listener events.
• Local privacy export and memory/log deletion controls.
• Clean build script that runs release gates in a temp workspace outside the synced Google Drive checkout.
• Dependency audit currently reports zero npm audit vulnerabilities in the clean build workspace.

Required Before Paid Beta

• Confirm support/security inbox.
• Decide code signing or Microsoft Store path.
• Add release checksum and authenticity instructions.
• Add customer-facing diagnostics export with redaction.
• Add crash/log retention policy.
• Add published vulnerability intake page.
• Confirm signed installer build and release notes.
• Test live Stripe webhook and Customer Portal access.

Incident Response Draft

1. Triage report and confirm affected version.
2. Preserve relevant logs without collecting extra sensitive data.
3. Reproduce in a clean test environment.
4. Classify severity: billing/license, consent/privacy, computer control, data exposure, remote execution, dependency, or support issue.
5. Patch, test, and update release gates.
6. Notify affected users when legally required or materially useful.
7. Update the command center, release notes, and support macros.

Source References

• FTC Privacy and Security: https://www.ftc.gov/business-guidance/privacy-security
• FTC Protecting Personal Information: https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business
• South Carolina Code Section 39-1-90: https://law.justia.com/codes/south-carolina/title-39/chapter-1/section-39-1-90/