Nombo legal
Vulnerability Disclosure Policy
Last updated: July 14, 2026
Scope
This policy applies to Nombo software and Nombo-controlled systems, including www.nombo.ai, nombo-api.fly.dev, and the official Nombo apps for Mac and iPhone.
Security flaws in how Nombo integrates with a third-party service are in scope. Third-party services, infrastructure, accounts, and user-owned systems that Nombo does not control are not. If you are unsure whether a system is in scope, contact us before testing it.
Authorization and safe harbor
If you make a good-faith effort to follow this policy, Detta, Inc. will consider your research authorized and will not initiate or recommend legal action against you for that research. If you are uncertain whether an activity is allowed, contact us before continuing. This authorization does not apply to activity that violates this policy or applicable law.
Research guidelines
- Use your own accounts and data, and test only enough to confirm the issue.
- Stop testing and report immediately if you encounter another person's data, credentials, secrets, or other sensitive information. Do not retain or share it.
- Do not alter or delete data, escalate privileges, establish persistence, move laterally, introduce malware, or access data beyond the minimum needed to confirm the issue.
- Do not perform denial-of-service, load, high-volume automated, social-engineering, phishing, or physical-security testing.
- Avoid disrupting Nombo, violating privacy, or degrading another user's experience.
Reporting a vulnerability
Email reports to [email protected] with the subject “Nombo security report.” Please do not open a public issue or include real user data.
Please include:
- The affected product, version, or web address.
- A description of the vulnerability and its potential impact.
- Reproduction steps and the minimum proof needed to demonstrate the issue.
- Whether you would like to be credited when the issue is disclosed.
What to expect from us
We aim to acknowledge your report within 3 business days and provide a remediation timeline within 7 business days of that acknowledgement. Critical issues are triaged faster.
We will coordinate public disclosure with you after remediation or on another date we agree together. There is no fixed disclosure deadline.
Rewards and supported versions
This is not a bug-bounty program, and Detta, Inc. does not promise payment or other rewards for reports.
Nombo supports its current hosted service and latest app releases. We welcome reports about older versions, but upgrading to the latest release may be the supported remediation.