How to report vulnerabilities responsibly. This is operational guidance, not a bug bounty contract unless we publish one separately.
Last updated: May 25, 2026
Product template — not legal advice.
Configure SECURITY_CONTACT_EMAIL in production. This page does not create a monetary reward program unless stated elsewhere.
Effective: May 25, 2026
Version 2026-05-25.1 · Product template — not legal advice.
Report security issues to the address published on this page at deploy time. If no address is configured, use the Contact form and select a security-related subject. Do not disclose issues publicly before we have had a reasonable chance to respond.
Legal review required before production commitments.
We welcome reports about authentication bypass, tenant isolation flaws, injection, sensitive data exposure, and other issues affecting confidentiality, integrity, or availability of Nyxce Core production systems.
Social engineering of our staff, denial-of-service against production without coordination, issues in third-party services (Twilio, Supabase, OpenAI, etc.) unless they stem from our integration, and findings in customer-configured content or prompts.
We will not pursue legal action against researchers who act in good faith, avoid privacy violations, do not exploit beyond demonstration, and give us reasonable time to remediate—provided you follow these guidelines.
Do not access other customers’ data, destroy data, disrupt live calls, or include personal data of real callers in your report. Use test workspaces where possible.
We aim to acknowledge reports within a few business days, assign severity, and communicate remediation status. Critical issues may be fixed out-of-band. We may request additional information to reproduce findings.
Security contact: security@nyxcecore.com (configure NEXT_PUBLIC_SECURITY_CONTACT_EMAIL)TODO: Set NEXT_PUBLIC_SECURITY_CONTACT_EMAIL in production before launch.
