NSS BG

Security Policy

Last updated: May 21, 2026

We take the security of NSS Background Remover seriously. Because the tool processes images entirely in your browser, the attack surface is narrower than typical web applications — there is no image upload server, no user database, and no authentication system. However, the static hosting, CDN, service worker, and client-side code all warrant careful attention.

The machine-readable version of this policy is also available at /.well-known/security.txt.

Reporting a vulnerability

If you believe you have found a security vulnerability in NSS Background Remover, please report it to us by email:

security@novusstreamsolutions.com

Please include as much detail as possible:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce or proof-of-concept code
  • The URL or component affected
  • Your contact information (optional, but helpful for follow-up)

We aim to acknowledge all security reports within 48 hours and to provide an initial assessment within 5 business days.

Scope

The following are in scope:

  • bgremover.novusstreamsolutions.com and all subpaths
  • The service worker and caching behaviour
  • Content Security Policy bypass
  • Cross-site scripting (XSS)
  • Any vulnerability that could affect user privacy or data integrity

The following are out of scope:

  • Social engineering attacks targeting our staff
  • Physical security
  • Denial of service (DoS/DDoS) attacks
  • Reports from automated scanners without manual validation
  • Third-party services (Vercel infrastructure, Hugging Face CDN) — please report those to the respective vendors
  • Vulnerabilities requiring a compromised device or browser

Our commitments

  • We will not pursue legal action against researchers acting in good faith under this policy.
  • We will acknowledge your report promptly and keep you informed of our progress.
  • We will credit you in our security changelog (if you wish) when a valid vulnerability is resolved.
  • We ask that you not disclose publicly until we have had a reasonable opportunity to address the issue — typically 90 days.

Security design principles

  • No image upload: Images are processed on-device. There is no server endpoint that accepts image data.
  • Content Security Policy: A CSP header restricts script sources, worker sources, and connection targets. Currently in Report-Only mode during the launch period; enforced mode is planned before general availability.
  • COOP/COEP: Cross-Origin Opener Policy and Cross-Origin Embedder Policy are set on the editor route to enable SharedArrayBuffer (multi-threaded WebAssembly) without relaxing the default browsing context security.
  • No secrets in client bundle: All client-side environment variables are prefixed NEXT_PUBLIC_ and contain only non-sensitive public identifiers.

Bug bounty

We do not currently operate a paid bug bounty program. We offer public acknowledgement and our genuine gratitude for valid, responsibly disclosed reports.