Responsible Disclosure Program

Last reviewed: 2026-04-20.

We take security seriously. If you believe you have found a vulnerability

in Nexus Social, please report it privately to us before disclosing it

publicly. We will work with you to confirm, fix, and credit the report.

How to report

**Email:** `security@my-nexus.social`

Include, where possible:

• A clear description of the issue and its impact.
• Steps to reproduce (or a proof-of-concept).
• The affected URLs, endpoints, or app version (Build / commit hash).
• Your name / handle if you'd like public credit.

PGP / encrypted email is welcome — request our key via the same address.

Machine-readable disclosure metadata is published at

[`/.well-known/security.txt`](https://my-nexus.social/.well-known/security.txt).

Response timeline

| Stage | Target |

| --------------------------------- | ----------------------------------------- |

| Acknowledgement | 1 business day |

| Initial triage / severity rating | 5 business days |

| Status update | every 7 days until resolution |

| Fix in production | Critical: 7 days · High: 30 days · Medium: 90 days · Low: best-effort |

We will let you know when the fix ships and (with your permission) credit

you in the public disclosure.

Safe-harbor commitment

We will not pursue civil or criminal action, or notify law enforcement,

for security research conducted in good faith that:

• Stays within scope (see below).
• Does not compromise the privacy of other users — do not access, modify,

or download data belonging to anyone other than yourself or a test

account you own.

• Does not perform denial-of-service, social-engineering of our

employees, physical attacks, or spam.

• Gives us a reasonable opportunity to remediate before any public

disclosure (typically the timelines above).

Scope

In scope:

• `*.my-nexus.social` web surface.
• The mobile apps (iOS/Android) distributed through Apple App Store and

Google Play.

• Public APIs documented under `https://my-nexus.social/api/...`.

Out of scope (please do not report; we already track these):

• Reports from automated scanners with no demonstrated impact.
• Missing security headers without a concrete exploit.
• Rate-limiting / brute-force where existing limits are enforced.
• Social engineering of users or employees.
• Issues in third-party services we depend on (Stripe, Twilio, Resend,

RevenueCat, OpenAI, Apple, Google) — please report those upstream.

• Self-XSS or attacks requiring physical access to an unlocked device.

Bounty

We do not currently operate a paid bug-bounty program. We do publish a

**hall of fame** thanking researchers and, where applicable, ship swag.

We reserve the right to introduce a paid program later; this document

will be updated accordingly.

Changes

This program may be updated as the product matures. The latest version

of this document is always at

[`/security/responsible-disclosure`](https://my-nexus.social/security/responsible-disclosure).

Canonical source: docs/security/responsible-disclosure.md