Legal

Security Policy

How to report a suspected vulnerability in nyxory. Read this before testing anything.

1. Reporting channel

Send vulnerability reports to security@nyxory.com. Encrypt with PGP if you want; we will publish a PGP key once we issue one. Do not file vulnerability disclosures in GitHub issues, Discord, social media, or other public channels before we have responded.

We aim to acknowledge reports within 72 hours during the open beta. We will keep you informed of triage, fix, and disclosure timing. Response times tighten upon GmbH founding.

2. Scope

In scope:

  • nyxory.com and its subdomains operated by us (excluding customer deployments on *.nyxory.app)
  • The nyxory console, control-plane APIs, and MCP server
  • Authentication, authorisation, tenant-isolation, secrets handling
  • Server-side request forgery, injection, deserialisation, or path-traversal in our code
  • Cross-tenant data leakage

Out of scope:

  • Customer deployments hosted on nyxory (these are third-party content; report to that customer)
  • Hetzner infrastructure, upstream LLM providers, or other third-party subprocessor services
  • Best-practice findings without exploitable impact (e.g. missing CSP headers absent a real attack chain)
  • Self-DoS, rate-limit abuse, social engineering of our staff, physical attacks
  • Vulnerabilities only exploitable via outdated end-user browsers (current-2)
  • Issues already publicly disclosed elsewhere

3. Safe-harbor

If you act in good faith, within the scope above, and report through the channel above, we will not pursue civil or criminal action against you for your research. This safe-harbor does not cover:

  • Accessing, modifying, exfiltrating, or destroying customer data beyond what is strictly necessary to demonstrate the vulnerability
  • Sustained automated scanning that affects platform availability
  • Social engineering of staff, users, or third parties
  • Public disclosure prior to coordinated remediation
  • Activities that would violate §§202a, 202b, 202c, 303a, 303b StGB or comparable computer-misuse statutes of your jurisdiction

4. No bug bounty (yet)

We do not currently run a paid bug-bounty programme. We may credit researchers in a public acknowledgements page once we ship one, subject to your consent. If you discover something material, we will discuss recognition (Hall of Fame, written reference, swag) on a case-by-case basis. No payment is owed.

5. Disclosure

We follow a coordinated-disclosure approach. Once a vulnerability is remediated, you may publish your findings; we ask that you give us at least 14 days after remediation before public publication, and that you avoid disclosing details that would meaningfully assist re-exploitation against customers who have not yet upgraded.

6. Best-effort, not warranty

This policy is part of how we operate, not a security warranty. The Service is provided on a best-effort basis as set out in the Terms of Service §§6.2 and 6.4. See also Privacy Policy §8 for our security posture summary.

Effective: 2026-05-14. Last updated: 2026-05-14.