Security
Vulnerability Disclosure Policy
Last updated: 20 April 2026 · Version 1.0
How to report
Please include clear reproduction steps, affected URL/endpoint, and the impact. If applicable, a proof-of-concept request or video is appreciated. Do not include actual user data.
Scope
The following are in scope:
- nodebreach.com and all production subdomains (
*.nodebreach.com) - NodeBreach API endpoints under
/api/v1/* - Container-escape or cross-tenant isolation bypasses in the training range
- Authentication, authorization, and session-handling flaws
- Payment, billing, and subscription logic
The following are out of scope:
- Findings inside the training range that are the intended point of the exercise (CVEs in vulnerable training targets, SSH weak passwords on lab boxes, etc.)
- Denial-of-service, resource-exhaustion, or load tests. Do not perform these.
- Social engineering, phishing, or physical attacks against NodeBreach employees
- Automated scanner output without a demonstrable impact
- Missing best-practice headers with no exploitable impact (e.g. CSP report-only, HSTS preload)
- Self-XSS, logout CSRF, or clickjacking on non-sensitive pages
- Third-party services (Stripe, Sentry, etc.) — report to them directly
Rules of engagement
- Test only against your own account or an account you have explicit permission to test
- Do not access, modify, exfiltrate, or destroy data belonging to others
- Stop and report immediately if you encounter personal data
- Do not publicly disclose the issue until we have confirmed a fix and agreed a disclosure date
- Keep any proof-of-concept and related data confidential
Safe harbor
If you make a good-faith effort to comply with this policy, NodeBreach LLC will:
- Not initiate legal action against you for your research
- Consider your testing authorised under the Computer Fraud and Abuse Act (CFAA) and similar laws
- Waive any applicable provisions of our Terms of Service that conflict with this research
- Work with you to understand the issue and coordinate disclosure
This safe harbor does not apply to actions that violate the rules above, laws of your jurisdiction, or privacy of other users.
Response timeline
| Milestone | Target |
|---|---|
| Initial acknowledgement | Within 3 business days |
| Triage and severity assessment | Within 7 business days |
| Remediation plan | Within 30 days (Critical / High) · Within 90 days (Medium / Low) |
| Coordinated public disclosure | After fix is deployed and verified |
Recognition
We currently do not operate a paid bug-bounty programme, but we gratefully acknowledge researchers who report valid, previously-unknown vulnerabilities on a public hall-of-fame page with their consent. If you prefer to remain anonymous, we will respect that.