nexos.ai Security Practices

Overview

At nexos.ai, security is fundamental to maintaining trust with our users and partners. As an AI platform handling sensitive data and powering critical business operations, we understand that security vulnerabilities can emerge despite our rigorous testing and preventive measures.

We value the cybersecurity community's contributions in identifying potential weaknesses in our systems. This policy establishes a framework for responsible disclosure that protects our users while supporting ethical security research.

Scope

This policy applies to vulnerabilities discovered in:

• nexos.ai platform infrastructure and applications
• Our APIs and integration endpoints
• Machine learning models and AI services
• Customer-facing web applications and mobile apps
• Development tools and SDKs

How to Submit a Vulnerability Report

Please report any suspected security vulnerabilities to our dedicated security team:

Email: [email protected]

Required Information

To enable swift investigation and remediation, please provide:

• Affected Component: Specify the exact URL, API endpoint, application version, or service
• Vulnerability Classification: Describe the issue type (e.g., injection flaw, authentication bypass, data exposure)
• Reproduction Steps: Clear, step-by-step instructions to recreate the issue
• Impact Assessment: Explain potential consequences and affected user populations
• Proof of Concept: Include screenshots, code snippets, or logs demonstrating the vulnerability (ensure these are harmless)
• Environment Details: Browser version, operating system, API keys used etc.

Responsible Disclosure Guidelines

Expected Conduct

Researchers should:

• Minimize data access to what's necessary for demonstration
• Use dedicated test accounts when possible
• Avoid automated scanning without prior approval
• Refrain from exploiting vulnerabilities beyond proof of concept
• Maintain confidentiality until we've implemented fixes
• Delete any downloaded data after reporting

Prohibited Activities

The following actions fall outside this policy's protection:

• Accessing production user data beyond minimal proof requirements
• Performing denial-of-service attacks or degrading system performance
• Physical security testing or social engineering attempts
• Modifying or deleting data not owned by the researcher
• Testing on systems not explicitly listed in our scope
• Public disclosure before agreed-upon timelines

Bug Bounty Program

nexos.ai does not currently operate a monetary bug bounty program.

Legal Framework

This policy operates within applicable laws and regulations. Researchers must comply with:

• Computer Fraud and Abuse Act (CFAA) and international equivalents
• Data protection regulations (GDPR, CCPA, and others)

nexos.ai provides safe harbor for security research conducted in good faith according to this policy. We will not initiate legal proceedings against researchers who:

• Follow this policy's guidelines
• Act without malicious intent
• Cease testing upon our request
• Work with us to understand and resolve issues