Security Policy

Our Commitment to Security

At Nubesti, security is at the core of everything we do. As a cybersecurity platform, we maintain the highest standards of security for our infrastructure, applications, and data handling processes.

Responsible Disclosure

We appreciate the security research community’s efforts to improve the security of our platform. If you believe you have discovered a security vulnerability in our systems, please report it to us through our responsible disclosure program.

How to Report a Security Vulnerability

1. Email: Send details to [email protected]
2. Contact Form: Use our secure contact form
3. Encrypted Communication: Use our PGP key for sensitive reports

What to Include in Your Report

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any supporting materials (screenshots, code snippets)

Our Response Process

1. Acknowledgment: We’ll acknowledge receipt within 24 hours
2. Investigation: Initial assessment within 48 hours
3. Updates: Regular updates on our progress
4. Resolution: Fix deployment and public disclosure coordination

Security Measures

Infrastructure Security

• Encryption: All data encrypted at rest and in transit using AES-256
• Access Control: Multi-factor authentication and role-based access
• Monitoring: 24/7 security monitoring and incident response
• Compliance: SOC 2 Type II, ISO 27001, and industry standards

Application Security

• Secure Development: Security-by-design principles
• Code Review: Mandatory security code reviews
• Testing: Automated security testing in CI/CD pipeline
• Dependencies: Regular security updates and vulnerability scanning

Data Protection

• Privacy: GDPR and CCPA compliant data handling
• Retention: Secure data retention and deletion policies
• Access: Principle of least privilege access controls
• Backup: Encrypted backups with offline storage

Bug Bounty Program

We operate a bug bounty program for security researchers:

• Scope: All Nubesti platforms and services
• Rewards: Based on severity and impact
• Recognition: Public acknowledgment (with permission)
• Legal: Safe harbor for good faith security research

In Scope

• Web applications and APIs
• Mobile applications
• Infrastructure vulnerabilities
• Social engineering attempts

Out of Scope

• Physical attacks
• Denial of service attacks
• Spam or social engineering of employees
• Attacks requiring physical access to devices

Security Contact Information

• Email: [email protected]
• Response Time: 24 hours for acknowledgment
• PGP Key: Download our PGP key
• Security Team: Available 24/7 for critical issues

Acknowledgments

We thank the following security researchers for their responsible disclosure:

This section will be updated as we receive and address security reports.

Policy Updates

This security policy is reviewed and updated quarterly. Last updated: August 1, 2025

For questions about this policy, contact us at [email protected]

Nubesti - Committed to Cybersecurity Excellence