Before You Report#
Thank you for helping us maintain the security of our platforms. Before submitting a vulnerability report, please review our responsible disclosure guidelines, response timelines, and scope requirements below.
Please read all sections carefully
Understanding our guidelines ensures your report is processed quickly and appropriately. After reviewing, you'll be able to submit your vulnerability report.
Responsible Disclosure Guidelines#
We're committed to working with security researchers to protect our users. We ask that you:
- Report privately: Do not publicly disclose the vulnerability until we've had reasonable time to investigate and address it
- Do not exploit: Do not access, modify, or delete user data without explicit permission
- Minimize impact: Do not degrade service availability or performance during testing
- Act in good faith: Make a good faith effort to avoid privacy violations and data destruction
Our Commitments to You
- We will respond to your report within 2 business days
- We will keep you informed of our progress addressing the vulnerability
- We will credit you for your discovery (if desired) when we publicly disclose the issue
- We will not pursue legal action against researchers who follow these guidelines
What to Include in Your Report#
To help us understand and reproduce the vulnerability quickly, please include:
- Vulnerability type: The category of security issue (e.g., XSS, SQL injection, authentication bypass)
- Affected system: The specific product, service, URL, or API endpoint affected
- Severity assessment: Your evaluation of the risk (Critical, High, Medium, Low)
- Detailed description: What the vulnerability is and potential impact
- Steps to reproduce: Clear, step-by-step instructions to replicate the issue
- Proof of concept: Code samples, screenshots, or videos demonstrating the vulnerability
- Suggested remediation: Any recommendations you have for fixing the issue (optional)
Response Timeline#
We follow a structured process to handle vulnerability reports:
| Stage | Timeline | Description |
|---|---|---|
| Acknowledgment | 2 business days | We confirm receipt and provide a reference ID |
| Initial Assessment | 5 business days | We validate and assess the severity |
| Remediation | Varies by severity | Critical: 7 days | High: 30 days | Medium: 60 days | Low: 90 days |
| Public Disclosure | Coordinated | We coordinate disclosure timing with you after remediation |
Timelines may vary based on complexity and impact. We'll keep you updated throughout the process.
Security Researcher Hall of Fame#
We acknowledge and thank security researchers who have helped us improve our security through responsible disclosure.
No public vulnerabilities have been reported yet. Your name could be here! We're grateful to security researchers who help us protect our users.
Out of Scope#
The following issues are generally out of scope for our vulnerability disclosure program:
- Social engineering attacks (phishing, vishing, etc.)
- Denial of Service (DoS/DDoS) attacks
- Physical attacks on our offices or infrastructure
- Recently disclosed zero-day vulnerabilities in third-party software
- Issues that require unlikely user interaction or compromised devices
- Missing security headers or best practices without demonstrated impact
- Outdated software versions without a known exploitable vulnerability
If you're unsure whether an issue is in scope, feel free to reach out to us at security@newhorizoncode.io.
Ready to Report a Vulnerability?
Responsible Disclosure Agreement:
By continuing, I agree to follow responsible disclosure practices and will not publicly disclose this vulnerability until New Horizon Code has had a reasonable opportunity to investigate and address it. I understand this report will be handled confidentially and with high priority, and I confirm that I have read and understood the responsible disclosure guidelines, response timeline, and scope requirements outlined above.
Your report will be encrypted in transit and handled confidentially