Scope
This policy applies to NEXEFII's official services and surfaces, including NEXE Store, Master Control, and Smartbot, when operated under NEXEFII's control.
Out of scope are third-party systems, integrations operated by other vendors, and customer environments outside NEXEFII's direct control.
Safe harbor for good-faith research
NEXEFII supports security research conducted in good faith. If you follow this policy, act responsibly, and cause no harm or access no data beyond the minimum needed to demonstrate a vulnerability, NEXEFII intends to treat that research as authorized and in good faith, rather than as hostile conduct.
This safe-harbor commitment is subject to final legal review and does not override applicable legal obligations or third-party rights.
What NOT to do
To protect users and data, researchers must NOT, among other conduct:
- Run denial-of-service (DoS/DDoS) attacks or load tests that degrade the service.
- Exfiltrate, copy, retain, or publish customer data, personal data, or credentials.
- Access, modify, or destroy accounts or data that are not your own.
- Violate user privacy or exploit a vulnerability beyond the minimum needed to demonstrate it.
- Use social engineering, phishing against staff, or physical attacks.
How to report
Report vulnerabilities to contact@nexefii.com. Include a clear description, reproduction steps, potential impact, and any strictly necessary proof-of-concept artifacts — without including third-party personal data.
We ask that you allow reasonable time for investigation and remediation before any public disclosure, and that you not disclose details that could put users at risk.
How reports are handled
NEXEFII's security team intends to acknowledge receipt, triage the report, assess impact, and drive remediation according to severity. We may contact you for clarification.
We do not disclose internal detection rules, monitoring indicators, or operational details that could facilitate abuse. The absence of such details in this policy is intentional.
Rewards
This policy does not promise a financial reward (bug bounty). Any reward program, if and when it exists, and its terms, will be described separately. Do not assume eligibility for payment simply by submitting a report.
Not authorization to attack third parties
This policy does not authorize any activity against third-party systems, subprocessors, infrastructure providers, or customer environments. Testing such systems without your own specific authorization may be unlawful and is not covered by this policy.