Security Vulnerability Disclosure
Nexo's security team is excited to work with the community to make sure Nexo remains the most secure platform in the crypto space. If you have discovered security vulnerabilities anywhere in our services, we'll greatly appreciate your cooperation in disclosing them to us in a responsible manner, following the guidelines set out below.
Areas of Interest
Our primary focus is on vulnerabilities that:
- Allow attackers to access customers’ funds.
- Allow attackers to make customers’ funds unavailable.
- High severity attacks on the server (e.g., remote code execution, SQL injection, etc.)
Out of Scope Vulnerabilities
When reporting vulnerabilities, please consider the attack exploitability and security impact of the bug. The following issues are considered out of scope:
- Previously known vulnerable libraries without a working proof of concept.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DDOS or SPAM).
- Using automated tools to find vulnerabilities.
- Social engineering.
- Please provide detailed reports with reproducible steps.
- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
- Try to avoid privacy violations, destruction of data, and interruption of Nexo's services. Only interact with accounts you own or with the explicit permission of the account holder.
Please email all reports to [email protected]. Include any steps required to reproduce or exploit the vulnerability. Please allow enough time for the vulnerability to be addressed before discussing any findings publicly. Once we receive your report, Nexo's security team will contact you with a timetable for implementing a fix.
All activities performed following these guidelines will be considered authorized conduct, and won't be followed by legal action against you. If a third party initiates legal action against you in connection with activities conducted under these guidelines, we will take steps to make it known that your actions were conducted in compliance with Nexo's policies.
Thank you for helping keep Nexo safe.
Nexo’s Security Community Wall of Fame
We want to give proper credit to the people who help us improve our services and protect the Nexo community. If you discover a significant vulnerability and report it following the guidelines above, we will add your name to our Wall of Fame. If you wish to keep your disclosure confidential, just let us know, and we won’t reveal your identity. If several parties report the same vulnerability before it is fixed, the acknowledgment will go to the first one to report the issue.