Responsible Disclosure Policy

This document establishes the comprehensive framework for Nucleus AI's responsible disclosure programme, alternatively recognised as a 'bug bounty' initiative. In alignment with our organisational ethos of transparency and collaborative development, Nucleus AI extends this philosophy to our interactions with security researchers operating in good faith. The fundamental architectural principle underpinning this policy centres on fostering a symbiotic relationship between external security expertise and our internal development ecosystem. Nucleus AI welcomes the responsible disclosure of potential security vulnerabilities within our technological infrastructure, governed by the parameters delineated within this policy document, and correspondingly offers compensation based on our internal severity assessment protocols for reported vulnerabilities.

Scope

Products and services in scope:

The computational boundary of our responsible disclosure programme encompasses the following technological components:

  • Nucleus AI Device Operating System (latest version)
  • Nucleus AI Cloud Infrastructure, including:
    • Device Service Architecture
    • RESTful API Endpoints
    • Webhook and Integration Systems
    • Administrative Console Interface
    • Authentication and Single Sign-On Mechanisms
    • Development Environment
  • Any publicly exposed infrastructure elements supporting Nucleus AI's product ecosystem or organisational operations, including but not limited to public cloud storage repositories.

Not in scope:

The following elements reside outside the programmatic boundaries of our responsible disclosure initiative:

  • Hardware vulnerabilities requiring physical device access vectors for exploitation.
  • Third-party business applications utilised within Nucleus AI's operational framework:
    • This exclusion encompasses the Nucleus AI blog platform, community forums, and similar external-facing non-core applications.
  • Development and staging environments, unless their vulnerabilities demonstrate direct impact vectors affecting production environments.
  • Source code repositories not explicitly contained within the /nucleus-ai/ organisational structure.

Please note that the following vulnerability classifications currently fall outside our programme's definitional scope:

  • Configuration and implementation practices concerning SPF/DMARC, CORS, security headers, or suboptimal SSL/TLS cipher implementations.
  • Denial of Service attack vectors.
  • Informational disclosures such as file path revelations, unless demonstrably leading to sensitive information exposure.
  • Clickjacking vulnerabilities not present within explicitly in-scope web interfaces.
  • Email and account policy implementations, including password reset methodologies and complexity requirements.
  • Theoretical Cross-Site Scripting (XSS) or Self-XSS attack vectors without empirical exploitation evidence, such as input reflection without actionable impact.
  • Architectural concerns related to implementation best practices (including rate limiting configurations).
  • Communication manipulation techniques.
  • Social engineering attacks targeting Nucleus AI personnel.
  • Vulnerability reports generated through automated scanning tools without human verification and contextualisation.

Nucleus AI explicitly commits to refraining from legal proceedings against individuals or entities submitting vulnerability reports that address in-scope products and services (as defined above), when communicated through approved channels (defined below).

Furthermore, Nucleus AI establishes a covenant not to pursue legal remedies against individuals or entities adhering to the following operational parameters when identifying and disclosing vulnerabilities:

Testing and research activities must maintain non-disruptive characteristics (specifically excluding denial of service methodologies), and must not compromise Nucleus AI's operational integrity or customer experience. When uncertainty exists regarding the potential disruptive impact of specific testing methodologies, researchers should exercise conservative judgement and consult with Nucleus AI's security team prior to implementation.

Testing and research activities must target exclusively in-scope systems. When classification uncertainty exists, preliminary clarification should be sought.

Testing and research protocols must avoid deliberate access attempts targeting information assets belonging to Nucleus AI customers. Researchers should instead utilise their own authenticated accounts within the Nucleus AI environment for testing purposes.

Security researchers must maintain confidentiality regarding identified issues, refraining from public disclosure prior to a mutually established disclosure timeline.

Security researchers bear full responsibility for ensuring continuous compliance with relevant legal frameworks and jurisdictional legislation throughout their investigative activities.

All security researchers seeking compensation consideration when submitting vulnerabilities must ensure their investigative methodologies and testing protocols strictly adhere to the operational parameters established above.

How to Report a Vulnerability to Nucleus AI

Vulnerability reports should be transmitted to the Nucleus AI security team through electronic communication, addressed to [email protected].

Nucleus AI implements the security.txt standard (https://securitytxt.org/) for communicating current information regarding our responsible disclosure programme and preferred communication channels. Prior to vulnerability submission, please review our security.txt file at the following uniform resource locator to ensure access to the most current information: https://www.nucleus-ai.io/.well-known/security.txt.

The security.txt file contains a reference to the Nucleus AI Security team's public cryptographic key, which may optionally be utilised for report encryption. This encryption methodology is particularly advisable for submissions containing sensitive data components.

Preference, Prioritisation and Acceptance Criteria

To maximise the mutual value derivation from this programme, benefiting both Nucleus AI and participating security researchers, we strongly recommend, and will prioritise disclosures exhibiting the following characteristics:

Reports composed with clarity and precision, submitted in English where linguistically feasible.

Reports incorporating proof-of-concept implementation code facilitating Nucleus AI's comprehensive issue triage process.

Reports detailing vulnerability identification methodologies, suggested impact classifications, and potential remediation strategies.

Reports transcending mere automated scanning tool output, demonstrating human analysis and contextualisation.

Reports specifying any intended public disclosure timeframes or expectations.

Adherence to these submission guidelines establishes the following reciprocal expectations from Nucleus AI:

Responsive communication acknowledging initial disclosure receipt.

Transparent dialogue including anticipated remediation timeframes where intervention necessity is established.

Notification upon completion of final remediation implementation.

Compensation allocation where applicable (detailed below).

Compensation Framework

Nucleus AI implements a compensation structure for security researchers based on the following evaluative criteria:

The severity classification of the identified vulnerability (utilising a computational formula derived from the Common Vulnerability Scoring System).

The qualitative assessment of report comprehensiveness and clarity.

Nucleus AI's internal risk evaluation methodology applied to the identified issue.

Prior disclosure status assessment (Nucleus AI maintains a single-compensation policy per unique vulnerability).

Nucleus AI will establish collaborative communication with researchers to facilitate compensation processing. Compensation quantum determination remains exclusively within Nucleus AI's discretion—a condition implicitly accepted through participation in this programme.

Following submission, if your reported issue receives acceptance, communication will be initiated within 72 hours. Absence of communication within this timeframe indicates non-acceptance of the submission.

To confirm your comprehensive understanding of this policy framework, please include the reference identifier 'NUCLEUSHEX' in the subject line of your submission.