Scope
In scope: nodetra.com, the Nodetra web application, API endpoints, workspace sessions, and user-facing PWA surfaces.
Please test only with your own account, your own test data, or workspaces where you have explicit authorization.
Responsible disclosure
A coordinated channel for vulnerability reports, safe harbor expectations, and response timelines.
This policy explains how to report and coordinate security vulnerabilities found in the Nodetra platform.
In scope: nodetra.com, the Nodetra web application, API endpoints, workspace sessions, and user-facing PWA surfaces.
Please test only with your own account, your own test data, or workspaces where you have explicit authorization.
If you discover a vulnerability, send a report to [email protected]. Subject format: [VDP] short description.
Include reproduction steps, affected URL or endpoint, potential impact, screenshots/logs, and a proof-of-concept if available.
Email [email protected]Initial acknowledgement: within 3 business days.
Triage result: within 10 business days.
Fix target: 30 days for critical findings, 60 days for high findings, 90 days for medium findings, and best effort for low findings.
Coordinated disclosure happens after a fix is released and both sides agree on disclosure timing.
Nodetra does not intend to initiate legal action for good-faith research performed in line with this policy.
Safe harbor depends on not accessing real user data, not exfiltrating data, not disrupting service, not performing social engineering, and not sharing findings with third parties before coordinated disclosure.
DoS/DDoS, spam, social engineering, physical security testing, third-party services, theoretical findings, and clickjacking on static pages without sensitive action are out of scope.
Findings related to third-party providers should be reported through that provider security process.
Researchers who report responsibly may be listed in a future acknowledgement page with their consent.
Nodetra does not currently operate a paid bug bounty program.