Vulnerability Disclosure Policy
Nstock welcomes good-faith security research. If you believe you have found a security vulnerability in Nstock, we want to hear from you. This page explains how to report it, what is in scope, and what you can expect from us. See also our security overview.
How to report
Email support@nstock.pro with the subject line Security vulnerability report. Please include:
- A description of the issue and where it was found (URL, endpoint, or feature)
- Steps to reproduce it — proof-of-concept detail is welcome
- The potential impact, as you understand it
- How you would like to be credited, if the report leads to a fix (optional)
This contact is also published in our security.txt file, following RFC 9116.
What you can expect from us
- An acknowledgement of your report within 3 business days
- An honest assessment of the issue and a good-faith effort to fix confirmed vulnerabilities promptly
- Updates when the issue is confirmed, fixed, or declined — with reasoning
- Credit for your discovery if you want it, once a fix has shipped
Scope
In scope: nstock.pro and its subdomains, including the Nstock web application and its APIs.
Out of scope:
- Denial-of-service testing, spam, or social engineering of Nstock staff or customers
- Automated scanning that degrades service for other users
- Physical attacks, and attacks requiring stolen credentials or a compromised device
- Vulnerabilities in third-party services Nstock uses (Stripe, Google/Firebase, etc.) — report those to the vendor directly
- Accessing, modifying, or deleting data that belongs to anyone other than your own test account
Safe harbor
Nstock will not pursue legal action against researchers who: act in good faith, stay within the scope above, make a reasonable effort to avoid privacy violations and service disruption, use only their own accounts and data for testing, and give us a reasonable opportunity to fix an issue before disclosing it publicly. Research conducted consistently with this policy is considered authorized, and we will not initiate or support legal action for accidental, good-faith violations of it.
A note on rewards
Nstock does not currently run a paid bug bounty program. We are a small team, and this policy is a commitment to take reports seriously and act on them — not a purchase order. Researchers who report valid issues will be credited here if they wish.



