Vulnerability Disclosure Policy
Last Updated: July 9, 2026
NEXA is committed to protecting the security, confidentiality, integrity, and availability of our systems, services, and data.
If you become aware of a potential security issue affecting a NEXA system or service through normal use or inadvertent observation, we encourage you to report it so that we can investigate and address it appropriately.
Our Approach
NEXA does not authorize active security testing, including:
- Penetration testing
- Vulnerability scanning
- Social engineering
- Denial-of-service or stress testing
- Credential stuffing or brute force attempts
- Automated exploitation or high-volume requests
- Attempts to access, download, modify, or retain data
These activities are not permitted unless you have explicit written authorization from NEXA.
Submitting a vulnerability report does not grant authorization to perform testing or access systems.
How to Report a Vulnerability
Please submit reports to:
security@nexamobility.com
To help us investigate, include:
- A description of the issue
- The affected system, application, or endpoint
- Steps to reproduce or validate the issue
- The potential impact
- Supporting materials (such as screenshots or logs)
- Your contact information
Please do not include sensitive personal data, production credentials, or exploit payloads in your initial report.
If needed, contact us to arrange a secure method for sharing sensitive information.
Responsible Disclosure Guidelines
When reporting a vulnerability, please:
- Act in good faith
- Avoid accessing, modifying, or deleting data
- Avoid disrupting systems or services
- Avoid attempting to escalate privileges or gain unauthorized access
- Stop immediately if you inadvertently access sensitive data
- Do not publicly disclose the issue without NEXA’s prior written consent
What You Can Expect From Us
When you submit a report, NEXA:
- Aims to acknowledge receipt within three (3) business days
- May validate and assess the reported issue
- May prioritize remediation based on risk and business impact
- May communicate with you as appropriate
Scope
This disclosure process applies only to systems and services owned and operated by NEXA.
Out of scope:
- Third-party systems, platforms, or vendors not controlled by NEXA
- Customer-managed devices or environments
- Employee accounts or non-public internal systems
- Physical security testing
- Social engineering or phishing
- Any activity requiring credentials you do not lawfully possess
No Bug Bounty Program
NEXA does not offer financial rewards for vulnerability reports.
NEXA does not provide compensation, reimburse costs, or enter into payment arrangements for vulnerability submissions.
At our discretion, we may acknowledge valid contributions.
Important Notice
Submitting a vulnerability report does not authorize you to:
- Perform security testing or active exploitation
- Access, collect, or store data beyond what is necessary to describe the issue
- Disrupt systems, services, or operations
Any unauthorized activity may be treated as a violation of applicable laws and may result in investigation.
Related Legal Policies
This policy should be read together with NEXA’s: