Vulnerability Disclosure

We appreciate the security research community's efforts in helping us maintain the security of our platforms. Report vulnerabilities responsibly and help us protect our users.

Our commitment: We'll acknowledge your report within 2 business days

Before You Report#

Thank you for helping us maintain the security of our platforms. Before submitting a vulnerability report, please review our responsible disclosure guidelines, response timelines, and scope requirements below.

Please read all sections carefully

Understanding our guidelines ensures your report is processed quickly and appropriately. After reviewing, you'll be able to submit your vulnerability report.

Responsible Disclosure Guidelines#

We're committed to working with security researchers to protect our users. We ask that you:

Report privately: Do not publicly disclose the vulnerability until we've had reasonable time to investigate and address it
Do not exploit: Do not access, modify, or delete user data without explicit permission
Minimize impact: Do not degrade service availability or performance during testing
Act in good faith: Make a good faith effort to avoid privacy violations and data destruction

Our Commitments to You

We will respond to your report within 2 business days
We will keep you informed of our progress addressing the vulnerability
We will credit you for your discovery (if desired) when we publicly disclose the issue
We will not pursue legal action against researchers who follow these guidelines

What to Include in Your Report#

To help us understand and reproduce the vulnerability quickly, please include:

Vulnerability type: The category of security issue (e.g., XSS, SQL injection, authentication bypass)
Affected system: The specific product, service, URL, or API endpoint affected
Severity assessment: Your evaluation of the risk (Critical, High, Medium, Low)
Detailed description: What the vulnerability is and potential impact
Steps to reproduce: Clear, step-by-step instructions to replicate the issue
Proof of concept: Code samples, screenshots, or videos demonstrating the vulnerability
Suggested remediation: Any recommendations you have for fixing the issue (optional)

Response Timeline#

We follow a structured process to handle vulnerability reports:

Stage	Timeline	Description
Acknowledgment	2 business days	We confirm receipt and provide a reference ID
Initial Assessment	5 business days	We validate and assess the severity
Remediation	Varies by severity	Critical: 7 days \| High: 30 days \| Medium: 60 days \| Low: 90 days
Public Disclosure	Coordinated	We coordinate disclosure timing with you after remediation

Timelines may vary based on complexity and impact. We'll keep you updated throughout the process.

Security Researcher Hall of Fame#

We acknowledge and thank security researchers who have helped us improve our security through responsible disclosure.

No public vulnerabilities have been reported yet. Your name could be here! We're grateful to security researchers who help us protect our users.

Out of Scope#

The following issues are generally out of scope for our vulnerability disclosure program:

Social engineering attacks (phishing, vishing, etc.)
Denial of Service (DoS/DDoS) attacks
Physical attacks on our offices or infrastructure
Recently disclosed zero-day vulnerabilities in third-party software
Issues that require unlikely user interaction or compromised devices
Missing security headers or best practices without demonstrated impact
Outdated software versions without a known exploitable vulnerability

If you're unsure whether an issue is in scope, feel free to reach out to us at security@newhorizoncode.io.

Ready to Report a Vulnerability?

Responsible Disclosure Agreement:

By continuing, I agree to follow responsible disclosure practices and will not publicly disclose this vulnerability until New Horizon Code has had a reasonable opportunity to investigate and address it. I understand this report will be handled confidentially and with high priority, and I confirm that I have read and understood the responsible disclosure guidelines, response timeline, and scope requirements outlined above.

Your report will be encrypted in transit and handled confidentially