Skip to main content
Nimbus

Security

Responsible disclosure

We take the security of our customers' accounts, payments, and data seriously. If you have found a vulnerability in our website, dashboards, or APIs, we want to hear from you. This page describes what is in scope, how we triage reports, and the rewards we offer for good-faith research.

How to report

Email security@getnimbus.net with a clear write-up: affected endpoint, reproduction steps, and impact. Include any artifacts that prove exploitability (HTTP transcripts, screenshots, PoC code) and the account or session you used so we can trace and revoke it.

Transient fallback: if security@getnimbus.net bounces, reach us at getnimbuscontact@gmail.com and we will route the report internally. This fallback is temporary while routing is being finalized.

Encrypted submissions

PGP is coming as part of our Q4 transparency push — a published fingerprint, the public key at /.well-known/security-pgp.asc, and a signed canary.

In the interim, if your report contains sensitive artifacts (working exploit, customer data, payment internals), send them through Discord modmail to our server — DMs to the Nimbus bot are end-to-end via Discord's transport and routed only to staff with the security role. Reference your email thread ID so we can correlate.

Machine-readable contact details are published at /.well-known/security.txt per RFC 9116.

Scope

In scope

  • Websitegetnimbus.net marketing site and all subpaths
  • NimbusLoader.exethe signed loader binary distributed via /dashboard/download
  • Customer dashboard/dashboard/* — auth, billing, license self-service
  • Admin panel/dashboard/admin/* — auth bypass, IDOR, privilege escalation
  • Public APIs/api/* — request smuggling, injection, auth bypass, IDOR

Out of scope

  • Marvel Rivals itself (the game), its anti-cheat (NetEase Easy Anti-Cheat / EAC), or any third-party game-client behavior
  • Third-party services we don't operate: KeyAuth, SellAuth, NowPayments, Stripe, Vercel, Cloudflare, Upstash, Resend, Discord
  • Physical attacks on Nimbus staff or infrastructure
  • Reports based solely on outdated software banners without proof of exploitability

Rewards

Listed amounts are guidance, not contracts. Final payout depends on exploitability, blast radius, and report quality. Genuinely exceptional Critical reports may be funded above the published band at our discretion. Paid via crypto or PayPal at the researcher's choice. Duplicates are credited to the first complete report.

TierReward bandExamples
Critical$4,000Pre-auth remote code execution on getnimbus.net or NimbusLoader.exe, persistent secret leak (env / KeyAuth seller key / signing key), mass license-key disclosure across customers.
High$1,500Server-side request forgery (SSRF) reaching internal services, IDOR on license records or invoices exposing other customers, authentication bypass to a customer or admin session.
Medium$500Stored XSS in customer or admin surfaces, sensitive information leak (PII, license metadata, internal endpoints) below the High threshold.
Low$100Best-practice findings with a working proof of concept (missing cookie attributes with realistic impact, minor logic flaws, low-risk info disclosure). Hall of Fame credit included.

Not rewarded

The categories below are out of scope for any monetary reward, even when the underlying observation is technically accurate. We may still acknowledge a particularly useful write-up in the Hall of Fame at our discretion.

  • Denial of service of any kind (volumetric, application-layer, resource exhaustion)
  • Spam, mass-mail abuse, or unsolicited automated submissions
  • Social engineering of Nimbus staff, customers, vendors, or community moderators
  • TLS / cipher-suite hardening findings without a working exploit (e.g. "TLS 1.0 supported", weak suite enabled)
  • Raw output from automated vulnerability scanners without manual validation and a working proof of concept
  • Missing HTTP security headers, missing SPF / DMARC on non-mail domains, or clickjacking on pages without sensitive state-changing actions, in isolation

Response timeline

  • Initial acknowledgementWithin 5 business days

    We confirm receipt of your report and assign a tracking handle.

  • Initial triageWithin 30 days

    Severity classification, reward tier (when applicable), and a rough remediation timeline.

  • Public disclosureCoordinated

    Default 90 days after triage; earlier with mutual agreement.

Safe harbor

Researchers acting in good faith under this policy will not be pursued legally, banned from the product, or have their license keys revoked as a consequence of their report. Stay within scope; avoid privacy violations and service disruption; give us a reasonable window to remediate before public disclosure; do not access customer data beyond what is necessary to demonstrate the issue; and delete any data you incidentally retrieve. We follow standard coordinated-disclosure norms.

Hall of Fame

Researchers who report valid issues receive public credit (with permission) on our Hall of Fame. Anonymous credit is available on request.