Vulnerability Disclosure Policy

1. Scope

This policy applies to the following Nairux systems and services (the "In-Scope Assets"):

• The Nairux platform hosted on Google Cloud Platform — any *.nairux.io subdomain, including cortex.nairux.io, portal.nairux.io, and customer-specific cluster URLs • The Nairux Agent software distributed to customer environments • The Nairux installer scripts and update mechanisms • Nairux marketing and corporate web properties at nairux.io • Any other Nairux-operated public-facing service

Out of scope: customer-managed infrastructure (the network devices Nairux is used to manage, customer hosts running the agent, customer identity providers); third-party services Nairux uses (please report to the respective vendor); denial-of-service testing against production; physical security testing; social engineering of Nairux personnel; testing against customer clusters without that customer's explicit written authorization.

2. How to Report

Email security@nairux.io with the following information:

• A clear description of the vulnerability • The In-Scope Asset affected (URL, software version, etc.) • Steps to reproduce (proof-of-concept code if applicable) • The potential impact you have identified • Your suggested severity rating (Critical / High / Medium / Low) • Your contact information and any preferred name for public attribution

Encryption: if you wish to encrypt your report, request our PGP public key from security@nairux.io.

Please do not publicly disclose the vulnerability before we have had reasonable time to investigate and remediate (see our commitments below).

3. Our Commitments

When you report a vulnerability in good faith following this policy, we aim to:

Acknowledgment — Acknowledge your report and assign a tracking ID, typically within a few business days of receipt.

Initial triage — Provide an initial severity assessment and indicate whether we are validating or have validated the vulnerability, typically within two weeks.

Validated Critical fixes — Prioritize and deploy fixes for vulnerabilities classified as Critical severity as quickly as reasonably possible, generally targeting one calendar month from validation.

Validated High fixes — Deploy fixes for High severity vulnerabilities promptly, generally within a small number of months from validation.

Validated Medium / Low fixes — Address Medium and Low severity findings on a reasonable timeline where remediation is warranted.

We will keep you informed of progress, work with you on a coordinated public-disclosure timeline that protects affected customers, and (with your consent) publicly recognize researchers whose validated reports lead to platform improvements.

Where validated reports of Critical or High severity vulnerabilities affect customer data, we will notify affected customers in accordance with the breach-notification commitments in the applicable Customer Agreement and applicable law.

Timelines in this Section are good-faith targets, not contractual commitments. Specific service-level terms applicable to a customer are governed by that customer's agreement with Nairux.

4. Safe Harbor

Nairux extends safe harbor to security researchers acting in good faith under this policy. Specifically, when you act in accordance with this policy:

• Nairux will not initiate legal action against you for security research conducted in compliance with this policy. • You agree not to access, modify, exfiltrate, or destroy customer data; if you inadvertently encounter customer data, you must immediately stop, delete any copies, and report what you found to us. • You will not conduct testing that materially disrupts Nairux services for other customers (no denial-of-service testing, no resource exhaustion). • You will not engage in social engineering, physical intrusion, or extraction of personally identifiable information. • Our safe harbor does not authorize you to violate applicable law. Researchers in jurisdictions other than the United States should ensure their research is lawful under their local law.

If we determine that your research has violated this policy, the safe harbor does not apply. We will engage with you in good faith to clarify any uncertainty before taking action.

5. Severity Classification

We classify vulnerabilities using the following criteria, broadly aligned with CVSS v3.1:

Critical — Remote code execution; unauthenticated access to customer data; bypass of credential isolation between customer clusters; cryptographic primitives broken in production.

High — Authenticated privilege escalation; SQL injection with data access; broken authentication or session management; significant audit-trail tampering.

Medium — Cross-site scripting, CSRF, information disclosure of non-sensitive metadata, insecure defaults that require active misconfiguration to exploit.

Low — Minor information disclosure; missing security headers; rate-limiting weaknesses without exploitable impact.

6. Recognition

Researchers whose validated reports lead to platform improvements may be publicly recognized at nairux.io/security/hall-of-fame, with their consent. Recognition typically includes the researcher's name (or chosen handle), the date of disclosure, and a brief description of the vulnerability class — not the technical detail.

We currently do not operate a paid bug bounty program; we may launch one in the future and will update this page accordingly. Researchers are welcome to report vulnerabilities under this VDP regardless of bounty availability.

7. Reporting Active Exploitation

If you believe a vulnerability is actively being exploited against Nairux or its customers, please indicate this clearly in the subject line of your report — for example: "[ACTIVE EXPLOITATION] [your description]". We monitor security@nairux.io around the clock for incidents flagged this way.

8. Customer Security Resources

For Nairux customers and prospects evaluating our security posture:

• Trust & Security overview — available from your Nairux account team • Compliance roadmap (including SOC 2 and ISO 27001 status) — available from your Nairux account team • Sub-processor list — available from your Nairux account team • Customer security questionnaires (CAIQ, SIG, VSAQ, or your internal format) — handled by our security team on a reasonable-effort basis

For broader security inquiries beyond vulnerability reports, contact security@nairux.io.