Legal
Security & Responsible Disclosure
Last updated: March 17, 2026
Overview
NexWorldTech takes the security of our systems and our clients' data seriously. We welcome reports from security researchers and the broader community about potential vulnerabilities in our systems. If you believe you have found a security issue, we want to hear from you.
This page describes our security practices and outlines our responsible disclosure policy, including how to report vulnerabilities, what we ask of researchers, and what you can expect from us in response.
Our Security Practices
Security is built into every layer of how we operate:
Infrastructure Security
Our systems run on hardened cloud infrastructure. We enforce principle-of-least-privilege access controls, use encrypted storage for all persistent data, and maintain audit logs for administrative actions.
Data in Transit
All connections to our Site and services are encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and use HSTS to prevent protocol downgrade attacks.
Application Security
We follow OWASP secure coding guidelines during development. All external inputs are validated and sanitized. Dependencies are monitored for known vulnerabilities and updated regularly.
Access Management
Administrative access to production systems is restricted to authorized personnel, protected by strong authentication, and reviewed on a regular basis.
Incident Response
We maintain an incident response plan and conduct periodic security reviews. In the event of a confirmed breach affecting client data, we will notify affected parties and relevant authorities in accordance with applicable law.
Disclosure Scope
We invite responsible disclosure reports for vulnerabilities in the following systems:
- nexworldtech.com and all subdomains
- Public-facing APIs operated by NexWorldTech
- NexWorldTech-owned mobile applications (if applicable)
Systems and software we build for clients are not in scope for this policy. If you believe you have found a vulnerability in a client-owned system built by NexWorldTech, please contact the operator of that system directly.
How to Report
To report a vulnerability, send an email to security@nexworldtech.com with the following information:
- DescriptionA clear description of the vulnerability and its potential impact.
- Steps to reproduceA detailed, step-by-step account of how to reproduce the issue, including any tools or payloads used.
- Affected systemThe specific URL, endpoint, or system component affected.
- EvidenceScreenshots, HTTP request/response logs, or proof-of-concept code that demonstrates the vulnerability without causing harm or accessing data beyond your own test account.
- Your contact informationAn email address where we can follow up with you.
Please do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate. We ask for a coordinated disclosure window of 90 days from your initial report.
Our Commitments to You
When you report a vulnerability in good faith and in accordance with this policy, NexWorldTech commits to:
- Acknowledge receipt of your report within 3 business days
- Provide an initial assessment and expected timeline for investigation within 10 business days
- Keep you informed of our progress as we work to validate and remediate the issue
- Not pursue legal action against you for good-faith security research conducted in compliance with this policy
- Credit you in our security acknowledgements (if you wish) upon remediation of a confirmed, in-scope vulnerability
We do not currently offer a paid bug bounty program. We may introduce one in the future.
Out of Scope
The following are outside the scope of our responsible disclosure program and will not be eligible for acknowledgement:
- Denial-of-service (DoS/DDoS) attacks against our infrastructure
- Automated scanning that generates excessive traffic or impacts service availability
- Social engineering or phishing attacks targeting NexWorldTech employees or clients
- Physical security issues
- Vulnerabilities in third-party services or software not under our direct control
- Reports generated entirely by automated scanners without manual validation
- Missing security headers that do not demonstrate a direct, exploitable vulnerability
- Issues requiring unlikely user interaction or prerequisite access levels that are themselves high-severity
- Disclosure of publicly known CVEs in software we use, without evidence of exploitability in our specific configuration
Legal Safe Harbor
NexWorldTech will not pursue legal action against security researchers who:
- Comply with this Responsible Disclosure Policy in full
- Act in good faith to avoid privacy violations, data destruction, service disruption, and degraded user experience
- Do not access data beyond what is minimally necessary to demonstrate the vulnerability
- Do not exfiltrate, modify, delete, or publicly disclose any data accessed as part of research
- Refrain from exploiting the vulnerability for any purpose beyond demonstrating it to us
This safe harbor applies only to activities explicitly authorized by this policy. Activities outside this scope remain subject to applicable law. NexWorldTech reserves the right to determine, in its sole discretion, whether research was conducted in good faith and in accordance with this policy.
Security Contact
NexWorldTech Security Team
Security Reports: security@nexworldtech.com
General / Legal: legal@nexworldtech.com
Please use the security email for all vulnerability disclosures. Do not report security issues through public GitHub issues or social media.