Nova's public security basics, official contact points, and responsible disclosure path.

Security and official channels

This page exists to make Nova's public security posture easy to find. It stays close to what is already published across the site, the legal pages, security.txt, and this repository.

Updated: 2026-04-22

In short

The official domain is novadao.app.
The public email contact is hello@novadao.app.
Nova says wallet access depends on the .novakey file and the password.
Security reports should stay private.

Official domain

The official domain is novadao.app.

Official email

The public contact for security reporting is hello@novadao.app.

What Nova should never ask for

Nova should never ask for:

your password
your .novakey file
your seed phrase

If anyone asks for any of these items through chat, Telegram, email, or direct message, treat it as phishing.

Responsible disclosure

This domain publishes a security.txt, and this repository publishes a SECURITY.md. Today the private reporting channel is hello@novadao.app.