Responsible Disclosure

Reporting a Vulnerability

Send your findings to security@getnimbus.net. Include a detailed description, steps to reproduce, and any supporting material (proof-of-concept code, screenshots, or packet captures). Encrypt sensitive communications with our PGP key available on request.

What We Ask of You

• Give us a reasonable window to investigate and patch before public disclosure.
• Do not access, modify, or delete data that does not belong to you.
• Do not degrade the service or disrupt other users while testing.
• Act in good faith and follow the principles of coordinated disclosure.

Our Commitment

• We will acknowledge your report within 14 days.
• We will keep you informed of our progress and notify you when the issue is resolved.
• We will not pursue legal action against researchers who comply with this policy.
• We are happy to publicly acknowledge your contribution once the fix is deployed, with your permission.

Scope

This policy covers the Nimbus desktop application, the getnimbus.net website, the licensing API, and the auto-update infrastructure. Third-party services integrated into Nimbus are out of scope unless the vulnerability directly affects our implementation.