Skip to main content

Vulnerability disclosure

Moodi Mahmoudi avatar
Written by Moodi Mahmoudi
Updated over 2 weeks ago

Quick start

  • ack ≤10 business days

  • coordinated disclosure

  • no DDoS/spam/SE/phys attacks

  • credit after fix

At a glance

If you discover a potential security issue in NEXT AI, email security@nextapp.co. NEXT acknowledges within 10 business days, works with you on remediation (we aim to resolve critical issues within one week), and asks that you follow good-faith research practices and avoid prohibited tests (below).

How to report

Send an email to security@nextapp.co with: reproduction steps, affected URL/endpoint and workspace, impact/severity, any proof-of-concept, logs/timestamps, and your disclosure timeline. NEXT AI provides credit after validation and fix, and maintains an open dialogue during triage.

What to expect from NEXT

  • Acknowledgment: reply to your email within 10 business days.

  • Coordination: we’ll propose a remediation timeline and keep you updated; please allow reasonable time before any public disclosure.

  • Credit: we recognize contributors after validation and fix (unless you request otherwise).

Good-faith research & safe harbor

NEXT AI welcomes good-faith security research. Our Responsible Disclosure Policy commits to a non-retaliatory legal posture for researchers who act within scope, avoid harming data/availability, and coordinate disclosure timelines with NEXT AI.

Please don’t (exclusions)

Refrain from DDoS, spamming, automated pentests/scans, social engineering or phishing of NEXT AI staff, and any attacks against physical property or data centers. Test only accounts you own or have explicit permission to use, and avoid privacy violations or service degradation.

Standards

This program aligns with ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (handling). Many organizations also publish a security.txt file (RFC 9116) to advertise reporting contacts.

Related topics

FAQ

Q: Where does one report a vulnerability?

Email security@nextapp.co with steps to reproduce, impact, and PoC (if available).

Q: When does one hear back?

NEXT acknowledges within 10 business days and collaborates on remediation and timelines.

Q: Can one publicly disclose the issue?

Yes—after coordinated disclosure. Please allow reasonable time for a fix and coordinate the publication window with NEXT AI.

Q: Will NEXT AI take legal action against good-faith research?

NEXT’s Responsible Disclosure Policy provides safe-harbor assurances for good-faith testing within scope and coordinated disclosure.

Q: What testing is out of scope?

No DDoS, spamming, automated scans, social engineering, or physical attacks. Only test accounts you own or have permission to use.

Q: Do you publish a security.txt?

Many organizations host /.well-known/security.txt (RFC 9116). If present, follow it; otherwise, email security@nextapp.co.

Q: Will I receive credit?

Yes—public credit after validation and fix (unless you request otherwise).

Did this answer your question?