Nubo
Start deploying

legal

Security

Updated May 26, 2026

How to report a security vulnerability in Nubo, what is in scope, and the safe harbor we extend to good-faith researchers. To report abusive content hosted on Nubo, use the abuse portal instead.

1 Overview

1.1 We take the security of the Nubo platform and Service seriously, and we welcome reports from security researchers and users who find a vulnerability. This policy explains how to report one, what is in scope, and what you can expect from us.

1.2 It covers vulnerabilities in Nubo's own systems. To report abusive content or activity hosted by a customer on Nubo, use our abuse portal at https://www.withnubo.com/abuse instead.

2 Reporting a vulnerability

2.1 Email [email protected] with enough detail for us to reproduce and assess the issue. Please send one report per vulnerability.

2.2

A useful report includes:

  • the affected URL, endpoint, or component;
  • a clear description of the vulnerability and its impact;
  • step-by-step instructions to reproduce it, and a proof of concept where possible;
  • any logs, requests, or screenshots that help us understand it;
  • how you would like to be credited, if at all.

2.3 If you need to share sensitive details, say so in your first message and we will arrange a secure channel.

3 Scope

3.1

In scope:

  • the marketing site at www.withnubo.com;
  • the dashboard and application at apps.withnubo.com;
  • the Nubo API and platform services that run customer workloads;
  • our deploy, build, and networking infrastructure.
3.2

Out of scope:

  • applications and content that customers deploy on Nubo (report those through the abuse portal);
  • third-party services we rely on, which should be reported to their respective vendors;
  • denial-of-service, volumetric, or brute-force testing;
  • social engineering of our staff, users, or vendors, and physical attacks;
  • reports from automated scanners with no demonstrated, exploitable impact.

4 Safe harbor

4.1 We will not pursue or support legal action against you for security research that follows this policy in good faith, and we consider such research authorized under the laws that would otherwise prohibit it.

4.2

To stay within this safe harbor, you must:

  • make a good-faith effort to avoid privacy violations, data loss, and service degradation;
  • only access, copy, or store the minimum data needed to demonstrate the issue;
  • never access, modify, or delete data that is not yours, and stop once you confirm a vulnerability;
  • give us a reasonable opportunity to fix the issue before disclosing it to anyone else.

4.3 If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorization known.

5 Our commitment

5.1

When you report in line with this policy, we will:

  • acknowledge your report, normally within three business days;
  • validate and triage it, and keep you informed of our progress;
  • work to remediate confirmed issues on a timeline that reflects their severity;
  • credit you for the discovery once the issue is resolved, if you would like.

5.2 We do not currently run a paid bug bounty program, but we are grateful for responsible disclosure and recognize researchers who help us.

6 Coordinated disclosure

6.1 Please keep the details of any vulnerability confidential until we have had a reasonable opportunity to address it, and coordinate the timing of any public disclosure with us.

6.2 We are happy to work with you on a disclosure timeline and to acknowledge your contribution when the issue is fixed.