Skip to main content
Nimbus

Security

Responsible disclosure

We take the security of our customers' accounts, payments, and data seriously. If you have found a vulnerability in our website, dashboards, or APIs, we want to hear from you. This page describes what is in scope, how we triage reports, and the rewards we offer for good-faith research.

How to report

Email security@getnimbus.net with a clear write-up: affected endpoint, reproduction steps, and impact. Encrypted submissions are welcome — request our PGP key in your first message. You may also submit via the structured form at the disclosure portal.

Machine-readable contact details are published at /.well-known/security.txt per RFC 9116.

Scope

In scope

  • Websitegetnimbus.net marketing site and all subpaths
  • Customer dashboard/dashboard/* — auth, billing, license self-service
  • Admin panel/dashboard/admin/* — auth bypass, IDOR, privilege escalation
  • Public APIs/api/* — request smuggling, injection, auth bypass, IDOR

Out of scope

  • Physical attacks on Nimbus staff or infrastructure
  • Social engineering of Nimbus staff, customers, or vendors
  • Anti-cheat research and bypass methodology in the product itself (out of scope for this program; not a vulnerability)
  • Findings on third-party services we don't operate (Vercel, Cloudflare, Upstash, Resend, SellAuth, KeyAuth, Discord)
  • Volumetric DoS, traffic floods, or rate-limit stress tests
  • Reports based solely on outdated software banners without proof of exploitability
  • Self-XSS, missing HTTP security headers without a working PoC, missing SPF/DMARC on non-mail domains
  • Clickjacking on pages without sensitive state-changing actions

Rewards

Bands are guidance, not contracts. Final amount depends on exploitability, blast radius, and report quality. Paid via crypto or PayPal at the researcher's choice. Duplicates are credited to the first complete report.

TierReward bandExamples
Critical$500 – $2,000Remote code execution, full account takeover without user interaction, mass data exfiltration, admin auth bypass.
High$200 – $500Authenticated privilege escalation, sensitive IDOR exposing other customers' data, stored XSS in admin context, secrets disclosure.
Medium$50 – $200Reflected XSS with realistic delivery, CSRF on state-changing endpoints, business-logic flaws with measurable impact.
LowRecognition onlyInformation disclosure without sensitive data, missing security best practices with a working PoC, Hall of Fame credit.

Response timeline

  • Initial responseWithin 24 hours

    Acknowledgement of receipt.

  • TriageWithin 72 hours

    Severity classification and reward tier (when applicable).

  • FixWithin 14 days

    Critical and High issues; lower severities tracked separately.

  • Public disclosure90 days

    Coordinated. Earlier with mutual agreement.

Safe harbor

We will not pursue legal action against researchers who follow this policy in good faith, avoid privacy violations and service disruption, and give us a reasonable window to remediate before disclosure. Stay within scope; do not access data beyond what is necessary to demonstrate the issue; delete any data you incidentally retrieve.

Hall of Fame

Researchers who report valid issues receive public credit (with permission) on our Hall of Fame. Anonymous credit is available on request.