NexcurAI
Talk to us Start a project
L5 Legal · Security acknowledgements

Security researcher acknowledgements.

This page credits researchers who have responsibly disclosed findings against NexcurAI-operated systems. It is the public complement to our security policy.

1 How to report

If you have found something, tell us.

We read every report. We respond inside one business day. We do not threaten or litigate researchers who act in good faith and within the scope defined on our security page.

Preferred channel

Send a PGP-encrypted email to hello@nexcur.ai. Our public key is at /pgp.asc. If you cannot use PGP, send plain email and say so in the first line; we will respond with a Signal handle if the report warrants end-to-end.

What we ask for

  • A reproduction path specific enough for us to verify inside one hour.
  • The affected URL, file, or endpoint.
  • The impact as you understand it, honestly stated.
  • A name you want credit under, or an explicit "no public credit" opt-out.

What we do

We acknowledge receipt inside 24 business hours. We triage and respond with a first assessment inside 72 business hours. We coordinate a disclosure timeline with you. We patch, then we publish the acknowledgement here, with your permission, and link to your writeup if you have one.

2 Acknowledgements

The hall.

This page launches empty. Entries will appear here as disclosures are closed. Each row records the researcher, the date we received the report, the area affected, the severity, and (when the researcher has published a writeup) a link.

Empty state

No disclosures have been closed yet. If you report a vulnerability, you will be the first entry. Please submit via the process described above.

3 Scope and safe-harbor

What we consider in-scope.

NexcurAI-operated surfaces: nexcur.ai and its subdomains, our mail infrastructure, and any public-facing artifact we sign (canary, PGP key). Out of scope: third-party services we use (GitHub, Google Workspace, etc.) unless the issue is our misconfiguration of those services. Client engagements are covered by their own scope documents.

Safe-harbor language.

If you act in good faith, avoid privacy violations, avoid service disruption, do not access accounts you do not own, and report promptly, NexcurAI will not pursue civil or criminal action against you in respect of the research activity. We do not warrant third parties on your behalf. If your research touches a client's systems via our surfaces, coordinate with us before you go further; we will liaise with the client.

The full safe-harbor text and scope boundaries are on /security.html. This page is the operational complement.

4 Related
Security page
Our security commitments
Data handling, retention, PGP key, the canary, the disclosure process.
Operating rules
Rules of engagement
How we run engagements, including the compliance review cadence.