Skip to main content

Vulnerability Disclosure Program Guidelines

What we're looking for and compensation details for security researchers

Updated over a month ago

Vulnerability Disclosure Program Guidelines

At Nextvisit AI, we value the security research community and welcome responsible disclosure of potential vulnerabilities. However, to ensure our program focuses on meaningful security issues, we've established clear guidelines about what qualifies for our vulnerability disclosure program.

Compensation Policy

Currently, we do not provide monetary compensation for vulnerability reports. If this policy changes in the future, we will update this page accordingly.

What We Don't Accept

To help you focus your research efforts effectively, here are the types of findings that do not qualify for our vulnerability disclosure program:

Infrastructure and Configuration Issues

  • Missing security headers (CSP, X-Frame-Options, etc.) without demonstrable impact

  • SSL/TLS configuration issues, expired certificates, or support for older protocols

  • Missing HSTS headers

  • Software version disclosure or banner grabbing

Low-Impact or Theoretical Issues

  • Scanner output without manual verification and proof of exploitation

  • Theoretical vulnerabilities lacking working proof-of-concept

  • Clickjacking on non-sensitive pages

  • Cookie flags (Secure/HttpOnly) without security impact

  • Rate limiting observations without actual impact

  • CORS misconfigurations on public resources

  • Open redirects without demonstrable harm

  • Directory listings of non-sensitive files

User Interaction and Social Engineering

  • Self-XSS or vulnerabilities requiring victim interaction

  • Social engineering attempts

  • Issues resulting from user error (exposed API keys, weak passwords)

  • AutoComplete/password manager behavior

Authentication and Access Issues

  • Email spoofing (SPF/DKIM/DMARC configuration)

  • Brute force, password spraying, or credential stuffing

  • Testing against accounts you didn't create

  • Username/email enumeration via timing attacks

  • Logout CSRF

Out-of-Scope Issues

  • Subdomain takeover on out-of-scope domains

  • Issues requiring pre-compromised devices/networks

What We Want to Hear About

If your finding demonstrates real, exploitable risk to Nextvisit AI (nextvisit.app) systems or user data that isn't covered in the exclusion list above, we're definitely interested in hearing about it.

We're looking for vulnerabilities that could:

  • Compromise patient data or protected health information

  • Allow unauthorized access to user accounts

  • Enable data manipulation or system compromise

  • Present genuine security risks to our platform or users

Ready to Report?

When submitting a vulnerability report, please include detailed steps to reproduce the issue and explain the potential impact. This helps us quickly understand and address legitimate security concerns.

Thank you for helping us keep Nextvisit AI secure for healthcare providers and their patients.

Did this answer your question?