We welcome reports from security researchers. If you believe you have found a vulnerability in NEXGUARD products, please tell us before public disclosure.
How to report
- Email security@nexguard.live with subject line "Security Report — [short title]".
- Include steps to reproduce, impact assessment, and proof-of-concept if available.
- Allow up to 90 days for remediation before public disclosure (coordinated disclosure preferred).
Bug bounty program
NEXGUARD operates a good-faith recognition program for valid reports. Monetary rewards depend on severity, exploitability, and program budget at the time of report. We will confirm eligibility when we acknowledge your submission.
- Critical — authentication bypass, RCE in extension/browser, mass user data exfiltration
- High — stored XSS on nexguard.live, API auth flaws, extension permission abuse
- Medium — CSRF on sensitive actions, information disclosure, scan bypass enabling widespread harm
- Low — minor issues with limited impact
Ineligible findings
- Missing security headers without demonstrated exploit
- Self-XSS, clickjacking on non-sensitive pages, rate limits without bypass
- Reports from automated scanners without verified impact
- Social engineering of NEXGUARD staff or users
Recognition
With your permission, we may list your name or handle on a security acknowledgments page after the issue is fixed. Commercial bug bounty platforms may be added later — official channel remains security@nexguard.live.
Related policies
Read our Security Disclosure Policy and Privacy Policy.