Sign inTalk to specialists

Responsible Disclosure Policy

Defines how security researchers can report vulnerabilities to NEXEFII responsibly, the good-faith safe-harbor commitment, what is not permitted, and how reports are handled.

Version
2026.2
Last updated
2026-07-11

Scope

This policy applies to NEXEFII's official services and surfaces, including NEXE Store, Master Control, and Smartbot, when operated under NEXEFII's control.

Out of scope are third-party systems, integrations operated by other vendors, and customer environments outside NEXEFII's direct control.

Safe harbor for good-faith research

NEXEFII supports security research conducted in good faith. If you follow this policy, act responsibly, and cause no harm or access no data beyond the minimum needed to demonstrate a vulnerability, NEXEFII intends to treat that research as authorized and in good faith, rather than as hostile conduct.

This safe-harbor commitment is subject to final legal review and does not override applicable legal obligations or third-party rights.

What NOT to do

To protect users and data, researchers must NOT, among other conduct:

  • Run denial-of-service (DoS/DDoS) attacks or load tests that degrade the service.
  • Exfiltrate, copy, retain, or publish customer data, personal data, or credentials.
  • Access, modify, or destroy accounts or data that are not your own.
  • Violate user privacy or exploit a vulnerability beyond the minimum needed to demonstrate it.
  • Use social engineering, phishing against staff, or physical attacks.

How to report

Report vulnerabilities to contact@nexefii.com. Include a clear description, reproduction steps, potential impact, and any strictly necessary proof-of-concept artifacts — without including third-party personal data.

We ask that you allow reasonable time for investigation and remediation before any public disclosure, and that you not disclose details that could put users at risk.

How reports are handled

NEXEFII's security team intends to acknowledge receipt, triage the report, assess impact, and drive remediation according to severity. We may contact you for clarification.

We do not disclose internal detection rules, monitoring indicators, or operational details that could facilitate abuse. The absence of such details in this policy is intentional.

Rewards

This policy does not promise a financial reward (bug bounty). Any reward program, if and when it exists, and its terms, will be described separately. Do not assume eligibility for payment simply by submitting a report.

Not authorization to attack third parties

This policy does not authorize any activity against third-party systems, subprocessors, infrastructure providers, or customer environments. Testing such systems without your own specific authorization may be unlawful and is not covered by this policy.