Security & vulnerability disclosure
How to report a security issue to NexinIT (Private) Limited, what to expect from us, and the good-faith research boundaries we commit to.
Report a vulnerability
Email [email protected]. A machine-readable contact is published at /.well-known/security.txt (RFC 9116). Please do not open public issues for security reports.
What to include
- A clear description of the issue and its impact.
- Steps to reproduce (proof-of-concept, affected endpoint or flow, request/response where relevant).
- The affected environment, tenant or organization identifier (if applicable), and timestamps.
- Your name or handle for acknowledgement (optional).
Our response commitment
- Acknowledgement within 3 business days of receipt.
- Triage and severity assessment, with a status update as we validate and prioritise a fix.
- Coordinated disclosure: we will agree a disclosure timeline with you and credit reporters who request it.
Good-faith research (safe harbour)
We will not pursue or support legal action against researchers who, in good faith, follow this policy; avoid privacy violations, data destruction, and service degradation; only interact with accounts they own or have explicit permission to test; and give us reasonable time to remediate before public disclosure. Testing must not target other tenants' data or attempt to breach the multi-tenant boundary beyond what is needed to demonstrate an issue.
Scope & current status
In scope: the public site, the documented API surface, and authentication/authorization flows. We do not operate a paid bug-bounty programme yet; acknowledgement and coordinated disclosure are offered today. Out of scope: volumetric denial-of-service, social engineering, and findings that require a compromised device or privileged tenant insider.
For non-security privacy requests, see the privacy policy. For deployment and readiness posture, see the Trust Center.