Nest Responsible Disclosure Policy
1. Introduction
At Nest, safeguarding user data and platform integrity is non-negotiable. This Vulnerability Disclosure Program outlines how external researchers can responsibly report security vulnerabilities and how we handle such reports to continuously improve our ecosystem.
2. Participation Eligibility
To participate in this program:
You must be at least 18 years old or have parental consent if underage.
You must comply with all applicable laws and regulations.
You must not be on any government sanctions list or a resident of a blacklisted country.
Employees or contractors of Nest or its affiliates may report vulnerabilities but are not eligible for rewards.
3. License to Test
Nest grants researchers a limited, revocable, non-transferable license to test our publicly accessible applications, platforms, and services solely for vulnerability discovery purposes.
Testing must not disrupt or degrade our services.
Researchers must not attempt social engineering, DDoS attacks, or physical access.
Do not access or alter user data.
4. Program Rules
Perform tests only on domains and environments explicitly listed as in-scope.
Avoid any activity that violates user privacy, disrupts services, or destroys data.
Do not use automated scanning tools without permission.
Submit only one report per vulnerability.
Provide enough detail for reproducibility.
Violating these rules will result in disqualification and potential legal consequences.
5. Response Commitment
We aim to:
Acknowledge your report within 48 business hours.
Provide progress updates every 5–7 business days.
Resolve critical vulnerabilities within 7 business days of validation.
6. Testing Scope & Plan
You may test:
Nest's main website (https://nestloans.in)
Nest mobile applications (Android & iOS)
Public APIs and user flows (excluding production user data)
Please DO NOT test:
Internal admin dashboards
Third-party services
Non-production environments unless invited
7. Out-of-Scope Vulnerabilities
We do not consider the following issues eligible for reporting:
Missing security headers (unless leading to an exploit)
Clickjacking on pages with no sensitive actions
Rate-limiting and brute force unless exploitable
CSRF on non-sensitive operations
Reports from automated tools without manual validation
8. Rewards
While we do not currently offer a formal bug bounty program, we may, at our discretion:
Offer cash rewards for critical vulnerabilities
Provide swag, certifications, or public acknowledgments
Prioritize future collaboration opportunities
All rewards are subject to Nest’s internal evaluation.
9. Confidentiality and Disclosure Policy
Do not disclose any vulnerabilities publicly until Nest has resolved the issue.
Avoid sharing details with third parties.
Any violation of confidentiality will void your eligibility for recognition or rewards.
10. No Warranties
Nest provides no warranties of any kind for its services or systems under this program. We do not guarantee that any submission will receive a response, reward, or fix timeline unless expressly stated.
11. Legal Disclaimers and Governing Law
This policy does not authorize unauthorized access to any data or service.
All legal claims, disputes, or proceedings related to this program will be governed by the laws of India and settled in the jurisdiction of Hyderabad, Telangana.
Nest reserves the right to modify or terminate this program at any time without notice.
For questions or to report a vulnerability, please contact us at: security@nestgens.com