Skip to main content

Responsible Disclosure

We build security tools, and we take the security of our own systems seriously. We do not run a paid bug bounty, and we do not invite testing of our systems, but if you discover a vulnerability in good faith, we genuinely want to hear from you, and we will work with you to fix it.

Last updated: 14 July 2026

1. Our commitment (safe harbour)

If you discover a vulnerability in our systems in good faith and report it to us in accordance with this policy, we will not pursue or support legal action against you for that research or disclosure (including under our Terms of Service or applicable computer-misuse laws) and we will treat your good-faith research and disclosure as authorised for the purposes of this policy. We will work with you to understand, validate, and remediate the issue.

2. Please act in good faith

To qualify for the safe harbour above, please:

  • avoid privacy violations, data destruction, and interruption or degradation of our services;
  • only interact with accounts and data that you own or have explicit permission to use: never access, modify, or delete other people’s data;
  • stop at a proof of concept: probe only as far as needed to demonstrate the issue, and do not exploit it further;
  • do not run high-volume automated scanning, denial-of-service, spam, social engineering, or physical attacks;
  • give us a reasonable opportunity to remediate before disclosing publicly, and keep the details confidential until we confirm the issue is resolved.

3. Scope

This policy covers vulnerabilities in NIMIS Intelligence’s own production systems and domains (including nimisintelligence.com and its subdomains). The following are out of scope:

  • third-party services and platforms we use: please report those to the relevant provider;
  • findings that require physical access, social engineering, or a compromised device;
  • volumetric denial-of-service, and reports of missing best practices without a demonstrable security impact;
  • our customers’ applications: testing of customer systems is governed by the Pentesting Services Agreement, not this policy.

4. How to report

Email us at security@nimisintelligence.com with enough detail for us to reproduce the issue: the affected system or URL, a description of the vulnerability, clear steps to reproduce, and its potential impact. Include a proof of concept if you have one. Please do not include real personal data of any third party in your report.

5. What you can expect from us

  • we will acknowledge your report and keep you reasonably informed of our progress;
  • we will work in good faith to validate and remediate confirmed issues;
  • we will not take legal action against you for good-faith research under this policy;
  • if you would like, we are happy to credit you once the issue is resolved.

6. Not a paid bug bounty

We do not currently offer monetary rewards for reports. What we offer is our genuine thanks, this safe-harbour commitment, and a collaborative effort to fix what you find.

7. Relationship to our other terms

This policy provides a safe harbour for good-faith discovery and disclosure. It does not otherwise invite, encourage, or authorise you to test or attack our systems, and our Terms of Service continue to apply. If you are unsure whether an action is permitted, contact us first.

8. Contact

Security reports: security@nimisintelligence.com. For anything else, use our contact page.