Vulnerability Disclosure Policy
Meridian welcomes responsible reports from security researchers. This policy describes how to contact us, what to expect, and the safe-harbor commitments we make to good-faith reporters. Read it before you test, probe, or publish anything touching our gateway, model routing layer, or customer-facing surfaces.
1. Scope & safe harbor
In-scope assets: meridian.getnimbus.net, llm.getnimbus.net, the public gateway API, and any SDK published under our org. Out-of-scope: third-party model providers, social engineering of staff, and physical attacks. Good-faith research under this policy will not result in legal action from Meridian.
2. How to report
Email security@getnimbus.net with a clear writeup, proof-of-concept, affected endpoints, and your suggested severity. Encrypt sensitive payloads against the PGP key below. We acknowledge within 48 hours and aim to triage within five business days.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Fingerprint: 8B5C F6F4 72B6 0A06 12FF
MERIDIAN-SECURITY-2026
-----END PGP PUBLIC KEY BLOCK-----
curl -X POST https://meridian.getnimbus.net/security/report \
-H "Content-Type: application/json" \
-d '{"summary":"...","severity":"high","poc":"..."}'3. Rewards & coordinated disclosure
We pay rewards for valid reports based on impact and quality. Critical auth-bypass, tenant isolation breaks, and remote code execution land in the top band. Please give us 90 days before public disclosure, or sooner once a fix ships. We will credit you in our security hall of fame unless you request anonymity.
- Critical: up to USD 5,000
- High: up to USD 2,000
- Medium: up to USD 500