Vulnerability Disclosure Policy

Last Updated: July 9, 2026

NEXA is committed to protecting the security, confidentiality, integrity, and availability of our systems, services, and data.

If you become aware of a potential security issue affecting a NEXA system or service through normal use or inadvertent observation, we encourage you to report it so that we can investigate and address it appropriately.


Our Approach

NEXA does not authorize active security testing, including:

  • Penetration testing
  • Vulnerability scanning
  • Social engineering
  • Denial-of-service or stress testing
  • Credential stuffing or brute force attempts
  • Automated exploitation or high-volume requests
  • Attempts to access, download, modify, or retain data

These activities are not permitted unless you have explicit written authorization from NEXA.

Submitting a vulnerability report does not grant authorization to perform testing or access systems.


How to Report a Vulnerability

Please submit reports to:
security@nexamobility.com

To help us investigate, include:

  • A description of the issue
  • The affected system, application, or endpoint
  • Steps to reproduce or validate the issue
  • The potential impact
  • Supporting materials (such as screenshots or logs)
  • Your contact information

Please do not include sensitive personal data, production credentials, or exploit payloads in your initial report.
If needed, contact us to arrange a secure method for sharing sensitive information.


Responsible Disclosure Guidelines

When reporting a vulnerability, please:

  • Act in good faith
  • Avoid accessing, modifying, or deleting data
  • Avoid disrupting systems or services
  • Avoid attempting to escalate privileges or gain unauthorized access
  • Stop immediately if you inadvertently access sensitive data
  • Do not publicly disclose the issue without NEXA’s prior written consent

What You Can Expect From Us

When you submit a report, NEXA:

  • Aims to acknowledge receipt within three (3) business days
  • May validate and assess the reported issue
  • May prioritize remediation based on risk and business impact
  • May communicate with you as appropriate

Scope

This disclosure process applies only to systems and services owned and operated by NEXA.

Out of scope:

  • Third-party systems, platforms, or vendors not controlled by NEXA
  • Customer-managed devices or environments
  • Employee accounts or non-public internal systems
  • Physical security testing
  • Social engineering or phishing
  • Any activity requiring credentials you do not lawfully possess

No Bug Bounty Program

NEXA does not offer financial rewards for vulnerability reports.

NEXA does not provide compensation, reimburse costs, or enter into payment arrangements for vulnerability submissions.

At our discretion, we may acknowledge valid contributions.


Important Notice

Submitting a vulnerability report does not authorize you to:

  • Perform security testing or active exploitation
  • Access, collect, or store data beyond what is necessary to describe the issue
  • Disrupt systems, services, or operations

Any unauthorized activity may be treated as a violation of applicable laws and may result in investigation.


Related Legal Policies

This policy should be read together with NEXA’s: