LEGAL

Vulnerability Disclosure Policy

Last Updated: May 20, 2026

NexNodo Inc. ("NexNodo", "we", "our", or "us") takes the security of the NexNodo platform, infrastructure orchestration systems, Marketplace, APIs, cloud infrastructure services, AI infrastructure services, and related operational systems seriously.

This Vulnerability Disclosure Policy ("VDP") describes the process for responsibly reporting potential security vulnerabilities relating to the NexNodo platform or Services.

NexNodo appreciates the efforts of security researchers, customers, partners, and members of the security community who help identify and responsibly disclose potential security issues.

1. Purpose of this Policy

The purpose of this Policy is to:

  • encourage responsible security research,
  • provide a clear reporting process,
  • improve the security of the NexNodo platform and Services,
  • protect Customers, Infrastructure Providers, Vendors, and platform users,
  • and establish guidelines for coordinated vulnerability disclosure.

This Policy applies solely to good-faith security research intended to improve the security and integrity of the Services.

2. Scope

This Policy applies to security vulnerabilities relating to:

  • the NexNodo website,
  • platform infrastructure,
  • APIs,
  • orchestration systems,
  • authentication systems,
  • Marketplace systems,
  • cloud management systems,
  • deployment infrastructure,
  • AI infrastructure services,
  • MCP infrastructure,
  • customer-facing dashboards,
  • and related NexNodo-controlled systems.

This Policy does not apply to third-party infrastructure providers, Vendor-managed applications, third-party Marketplace software, external cloud providers, customer-managed workloads, or third-party services not owned or controlled by NexNodo.

Security vulnerabilities affecting third-party Vendors, Marketplace applications, or Infrastructure Providers should be reported directly to the applicable provider where appropriate.

3. Responsible Disclosure Requirements

Security researchers acting in good faith under this Policy are expected to:

  • avoid privacy violations,
  • avoid destruction or modification of data,
  • avoid service disruption,
  • avoid unauthorized access to Customer content,
  • avoid accessing information unrelated to the vulnerability,
  • avoid disruption of production systems,
  • avoid excessive testing activity,
  • and avoid actions that may negatively impact Customers, Vendors, Infrastructure Providers, or platform stability.

Researchers must immediately stop testing and notify NexNodo upon discovering sensitive Customer data, unauthorized access, privilege escalation, infrastructure instability, or unintentional exposure of confidential information.

Testing must be conducted only against accounts, systems, or environments owned or authorized by the researcher.

4. Prohibited Activities

The following activities are prohibited under this Policy unless explicitly authorized in writing by NexNodo:

  • denial-of-service attacks,
  • distributed denial-of-service attacks,
  • ransomware testing,
  • malware deployment,
  • phishing,
  • social engineering,
  • credential attacks,
  • destructive testing,
  • spam attacks,
  • automated exploitation at scale,
  • cryptocurrency mining,
  • physical attacks,
  • supply chain attacks,
  • extortion,
  • data exfiltration,
  • persistence mechanisms,
  • privilege abuse,
  • exploitation of third-party systems,
  • or unauthorized access to Customer environments.

Researchers may not intentionally access, modify, delete, download, export, or retain Customer data, confidential information, or operational information unrelated to the reported vulnerability.

5. Reporting a Vulnerability

Potential vulnerabilities should be reported promptly to NexNodo through: support@nexnodo.com

Reports should include:

  • a detailed description of the vulnerability,
  • affected systems or URLs,
  • steps to reproduce the issue,
  • proof-of-concept information where appropriate,
  • potential impact,
  • timestamps,
  • and contact information for follow-up communication.

Researchers should provide sufficient detail to enable NexNodo to reproduce and investigate the reported issue.

6. Coordinated Disclosure

NexNodo requests that researchers maintain confidentiality, avoid public disclosure, and refrain from publishing exploit details until NexNodo has had a reasonable opportunity to investigate, mitigate, or remediate the reported issue.

NexNodo may coordinate disclosure timelines with researchers depending on severity, operational impact, customer exposure, infrastructure complexity, third-party dependencies, or legal obligations.

7. NexNodo Response Process

Upon receiving a vulnerability report, NexNodo may acknowledge receipt, investigate the report, assess severity, validate the issue, coordinate remediation, communicate with affected providers or Vendors, and implement mitigation or remediation measures.

NexNodo does not guarantee specific remediation timelines.

8. Safe Harbor

NexNodo will not pursue legal action against researchers for good-faith security research conducted in compliance with this Policy.

Good-faith research conducted within the scope of this Policy will generally be considered authorized activity under applicable anti-hacking laws.

However, activities that violate this Policy, disrupt Services, expose Customer data, compromise infrastructure integrity, violate applicable laws, or exceed authorized testing boundaries may result in suspension of access, legal action, or referral to law enforcement authorities.

Nothing in this Policy creates immunity from applicable laws or regulations.

9. Bug Bounty Programs

Unless explicitly stated otherwise, NexNodo does not currently operate a public bug bounty or vulnerability reward program.

NexNodo reserves the right to introduce, modify, suspend, or terminate any vulnerability reward or bug bounty programs at any time.

10. Third-Party Services and Marketplace Applications

NexNodo may coordinate disclosures with affected third parties where appropriate but is not responsible for vulnerabilities affecting systems outside NexNodo's operational control.

Researchers should avoid testing third-party systems without authorization from the applicable third party.

11. No Warranty

This Policy does not create any obligation for NexNodo to provide compensation, disclose remediation details, publicly acknowledge researchers, or resolve reported vulnerabilities within any specific timeframe.

NexNodo reserves sole discretion regarding investigation, remediation, disclosure, and response activities.

12. Changes to this Policy

NexNodo may revise, update, amend, or modify this Vulnerability Disclosure Policy from time to time to reflect changes in operational practices, infrastructure architecture, Marketplace functionality, AI-related services, security practices, or legal requirements.

Updated versions will be posted on the NexNodo website with revised effective dates.

13. Contact Information

Security reports and vulnerability disclosures should be submitted to: support@nexnodo.com

General legal inquiries: support@nexnodo.com

NexNodo Inc.
2810 N Church St
STE 88715
Wilmington, DE 19802
United States

Website: https://www.nexnodo.com

← Back to Legal Documents