We take security reports seriously. This page documents how to report a vulnerability, what's in scope, what to expect from us, and the protections we've already built in.
Email security@nextbridge.exchange with a clear technical description, reproduction steps, and your assessment of impact. If the issue is sensitive, request our PGP key in the first message — we'll send it and switch to encrypted mail.
Machine-readable contact info also lives at /.well-known/security.txt (RFC 9116).
Please do not post details publicly until we've confirmed and shipped a fix. We aim to acknowledge reports within 48 hours and ship critical fixes within 7 days.
In scope:
nextbridge.exchange domain and its subdomains./api/v1/*./api/mcp.@nextbridge/sdk npm package.Out of scope:
Helpful context before you go hunting — these are deliberate design choices:
ApiKeyAuditLog with caller IP, scope, key id.Nextbridge is currently pre-launch with no bounty payouts yet. Once we list as a public program (planned: Immunefi free tier alongside investor-pitch in late 2026), prior reports will be eligible for retroactive recognition.
Researchers who've responsibly disclosed issues will be listed here. The wall is empty for now — be the first.