Responsible Disclosure Policy

1. How to report

Email your findings to security@nexusvoidai.com with:

• A clear description of the vulnerability.
• Steps to reproduce (PoC), including HTTP requests/responses where applicable.
• Your assessment of the potential impact.
• Any screenshots or supporting evidence.

We will acknowledge receipt within 48 hours and provide a remediation timeline within 7 business days.

2. Scope

In-scope systems:

• vapt.nexusvoidai.com — main platform
• api.nexusvoidai.com — API endpoints

Out of scope:

• Denial of service attacks or load testing without prior permission.
• Social engineering attacks against NexusVoid staff.
• Physical security attacks.
• Vulnerabilities in third-party services we use (report those directly to them).
• Issues requiring physical access to a user's device.

3. Our commitments

• We will not take legal action against researchers acting in good faith.
• We will acknowledge your report within 48 hours.
• We will keep you informed of remediation progress.
• We will credit you publicly (if you wish) once the vulnerability is fixed.
• Critical vulnerabilities will be remediated within 7 days; others within 30 days.

4. Researcher guidelines

• Do not access, modify, or delete data belonging to other users.
• Do not perform actions that could degrade service availability.
• Do not publicly disclose the vulnerability before we have had a chance to fix it (90-day embargo).
• Test only against your own accounts or accounts you have explicit permission to test.

5. Bug bounty

We do not currently run a formal paid bug bounty program. However, we recognize high-impact disclosures with credit in our security acknowledgements page and may offer complimentary scan credits at our discretion.

6. Contact

Security reports: security@nexusvoidai.com

For PGP-encrypted reports, contact us first and we will provide a public key.