Skip to main content
NestKeeprNestKeepr

Vulnerability Disclosure Policy

We value security researchers who help keep NestKeepr and our users safe

At NestKeepr, we take the security of our users' data seriously. We appreciate the work of security researchers who help identify vulnerabilities in our systems. This policy describes how to report vulnerabilities to us and what you can expect in return.

Last Updated: January 2026

Safe Harbor

If you conduct security research in good faith and in accordance with this policy, we will:

  • Consider your research to be authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws
  • Not pursue legal action against you for your research activities
  • Work with you to understand and resolve the issue quickly
  • Publicly acknowledge your contribution (with your permission)

Scope

In Scope

  • nestkeepr.com and all subdomains
  • NestKeepr web application
  • NestKeepr API endpoints
  • Authentication and authorization systems
  • Document upload and processing systems

Out of Scope

  • Third-party services (Supabase, Vercel, Stripe)
  • Physical security testing
  • Social engineering attacks on employees
  • Denial of service (DoS/DDoS) attacks
  • Spam or phishing campaigns

Qualifying Vulnerabilities

We are particularly interested in the following types of vulnerabilities:

Remote code execution
SQL injection
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Authentication bypass
Authorization flaws (IDOR)
Server-side request forgery (SSRF)
Sensitive data exposure
Insecure direct object references
Business logic vulnerabilities

Non-Qualifying Issues

The following issues are generally not eligible for recognition:

  • Missing security headers that do not lead to exploitable vulnerabilities
  • Self-XSS (where the user must be tricked into attacking themselves)
  • Rate limiting issues that do not pose a security risk
  • Clickjacking on pages with no sensitive actions
  • Username or email enumeration
  • Vulnerabilities requiring physical access to a user's device
  • Theoretical vulnerabilities without proof of exploitability

How to Report a Vulnerability

Email Us

Send your report to security@nestkeepr.com

Please Include:

  • 1.Description of the vulnerability and its potential impact
  • 2.Steps to reproduce the issue (detailed, step-by-step)
  • 3.Proof of concept (screenshots, videos, or code if applicable)
  • 4.Your contact information for follow-up questions
  • 5.Any relevant tools or techniques used in your testing

What to Expect

Within 3 business days

Initial acknowledgment of your report

Within 10 business days

Assessment and severity determination

Within 90 days

Resolution of confirmed vulnerabilities

After resolution

Public acknowledgment (with your permission)

Research Guidelines

To ensure safe harbor protection, please follow these guidelines:

Do not access, modify, or delete data belonging to other users
Do not perform testing that degrades service for other users
Do not publicly disclose vulnerabilities before we've had a chance to fix them
Do use test accounts you create for research purposes
Do stop testing and report immediately if you access user data
Do act in good faith to avoid privacy violations

Recognition

We deeply appreciate security researchers who help us protect our users. With your permission, we will publicly acknowledge your contribution on our security page. While we do not currently offer a monetary bug bounty program, we are committed to recognizing valuable contributions to our security.

Back to Security Overview