Responsible Disclosure

Last updated June 2026

At nodge, the security of our systems and the protection of our customers' data is a top priority. Despite our care, a weakness may still slip through. If you find a vulnerability, we ask you to report it to us so we can fix it quickly and protect our customers.

Scope

This policy covers the nodge platform itself: platform.nodge.ai and the nodge-operated services on *.nodge.ai. Applications and *.nodge.ai domains that are controlled by our customers are not in scope of this policy. If you find an issue in a customer's application, please contact that customer directly.

Out of scope

The following are generally not treated as qualifying vulnerabilities unless you can demonstrate a concrete, exploitable impact:

• Missing security headers or best-practice recommendations without a working exploit
• Self-XSS, or issues that require an unlikely amount of user interaction
• Reports of missing rate limiting or brute-force protection without a demonstrated attack
• Clickjacking on pages with no sensitive actions
• Output from automated scanners with no supporting proof of concept
• Social engineering, phishing, physical attacks, or denial of service
• Vulnerabilities in third-party services we do not control

How to report

Email your findings to info@nodge.ai. Include enough detail for us to reproduce the issue, so we can resolve it as fast as possible. Helpful information includes:

• A clear technical description of the vulnerability
• The steps to reproduce it, and the systems or URLs involved
• Screenshots, logs, or a proof of concept where possible

What we ask of you

To keep disclosure responsible, please:

• Do not exploit the vulnerability, for example by downloading, altering, or deleting data
• Do not change or break any systems
• Do not use attacks on physical security, social engineering, phishing, or distributed denial of service (DDoS)
• Do not share the issue with others until it has been resolved, and give us a reasonable amount of time to fix it before any public disclosure
• Delete any confidential data obtained through the vulnerability once the issue is fixed

What we promise in return

• We respond to your report within 5 business days with our assessment and an expected resolution date.
• We treat your report confidentially and do not share your personal details with third parties without your consent.
• We keep you informed of our progress while we work on a fix.
• We resolve the vulnerability as quickly as we can, and we are happy to work with you on a coordinated disclosure once it is fixed.
• With your permission, we will credit you as the discoverer of the reported vulnerability.
• As a thank you, we offer a reward for thorough feedback and for genuine security issues. The size of the reward depends on the quality of the report and the severity of the issue, and is at our discretion.
• If a vulnerability has led to a data breach, we report it to the relevant authorities in line with the GDPR.

Our commitment to you

We will not pursue legal action against you in relation to your report, provided you act in line with this policy and in good faith. We treat your report as a genuine effort to help us improve the security of our platform.

Contact

Send security reports, and any questions about this policy, to info@nodge.ai.