Security Policy & Responsible Disclosure

We take the security of our platform and our users' data seriously. If you believe you've found a security vulnerability in Nucore Systems, we want to hear from you.

How to Report a Vulnerability

Please report any suspected security vulnerabilities responsibly and privately before disclosing them publicly. We ask that you give us reasonable time to investigate and address the issue.

🔒

security@nucoresys.com

Send all vulnerability reports to this address. We aim to respond within 5 business days.

📧

Email Report

Send a detailed email to security@nucoresys.com describing the vulnerability, including steps to reproduce, impact assessment, and any proof-of-concept if available.

🔐

Encrypted Communication

For sensitive disclosures, we encourage you to encrypt your email. Please contact us first at security@nucoresys.com to request our PGP key.

What's In Scope

We welcome reports on security issues affecting any of our core systems and properties.

✅ In Scope

  • nucoresys.com and all subdomains
  • Nucore web application and dashboard
  • Authentication and session management
  • API endpoints and data handling
  • User data exposure or leakage
  • Cross-site scripting (XSS)
  • SQL injection or data injection
  • Broken access control / privilege escalation
  • Security misconfigurations

🚫 Out of Scope

  • Denial of service (DoS/DDoS) attacks
  • Physical security issues
  • Social engineering or phishing of Nucore staff
  • Spam or email flooding
  • Vulnerabilities in third-party services we use
  • Issues on non-Nucore infrastructure
  • Automated scanner results without proof of impact
  • Missing security headers without demonstrated impact

Our Response Process

Here's what happens after you submit a vulnerability report.

Step 1
📬

Acknowledgement

We confirm receipt of your report within 5 business days and assign it a tracking reference.

Step 2
🔍

Investigation

Our team triages and investigates the report. We may follow up with questions to better understand the issue.

Step 3
🛠️

Remediation

We develop and deploy a fix. For critical vulnerabilities, we prioritize an expedited patch.

Step 4

Disclosure

We coordinate with you on responsible public disclosure timing once the fix is live.

Responsible Disclosure Guidelines

We ask that all security researchers follow these guidelines when investigating and reporting vulnerabilities.

  • Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability.
  • Do not perform DoS attacks or disrupt service availability during your research.
  • Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (typically 90 days).
  • Do not use automated scanners aggressively against our production systems.
  • Provide sufficient detail in your report to allow us to reproduce and understand the issue.
  • Act in good faith — we commit to doing the same in return.

🛡️ Safe Harbor

Nucore Systems LLC will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in compliance with these guidelines. We consider responsible security research a valuable contribution to the security of our platform and our users. If you follow these guidelines, we consider your research authorized and will work with you to understand and remediate the issue quickly.

What to Include in Your Report

A detailed, well-structured report helps us triage and resolve issues faster.

📋

Required Information

  • Type and nature of vulnerability
  • URL or component affected
  • Step-by-step reproduction instructions
  • Potential impact and severity
  • Your contact information for follow-up

Helpful Additions

  • Screenshots or screen recordings
  • Proof-of-concept code (non-destructive)
  • Browser and OS details
  • Network captures (if applicable)
  • Suggested remediation steps

Ready to Report an Issue?

Thank you for helping keep Nucore Systems and our users safe. Responsible disclosure makes the entire platform more secure for everyone.

📧 Email security@nucoresys.com Contact Us

Our security.txt is available at https://www.nucoresys.com/.well-known/security.txt