NomaPort

Vulnerability Disclosure Policy

This policy describes how security researchers and customers can report vulnerabilities to NomaPort, what we ask of reporters and how we handle confirmed issues.

Last updated: 14 June 2026

1. Our commitment

NomaPort welcomes responsible reports of security vulnerabilities affecting our website, account services, managed devices and related infrastructure. We appreciate researchers and customers who help us protect users.

2. Scope

2.1 In scope

  • nomaport.com and official NomaPort web applications.
  • Authenticated account APIs and sign-in flows operated by NomaPort.
  • NomaPort-managed device configurations and update mechanisms.
  • Demonstrable vulnerabilities in NomaPort-operated integrations that create realistic user risk.

2.2 Out of scope

  • Third-party services except where a NomaPort integration clearly amplifies impact.
  • Social engineering, physical tampering, spam or denial-of-service tests without prior written approval.
  • Issues requiring unlikely user interaction or obsolete client software.
  • Findings from automated scanners without validated exploitability.
  • Missing security headers or best practices with no demonstrated impact.

3. How to report

Send reports to security@nomaport.com with a descriptive subject line, affected URL or component, steps to reproduce, impact assessment and proof-of-concept if available.

Include your contact information if you want status updates. Encrypted communication can be requested for sensitive reports.

4. What we ask of reporters

  • Make a good-faith effort to avoid privacy violations, service degradation and data destruction.
  • Do not access, modify or exfiltrate data belonging to others.
  • Allow reasonable time for remediation before public disclosure.
  • Do not perform testing on systems or accounts you do not own without explicit authorisation.

5. Our process

  • Acknowledge receipt within three (3) business days when possible.
  • Investigate and validate findings with appropriate priority.
  • Provide periodic status updates for confirmed issues.
  • Remediate or mitigate confirmed vulnerabilities according to our Security Update Policy.
  • Coordinate disclosure timing with the reporter when appropriate.

6. Safe harbour

If you follow this policy, act in good faith and avoid harm, NomaPort will not pursue legal action against you for authorised research activities related to your report. This safe harbour does not apply if you violate law, access unrelated data or extort users.

7. Recognition and rewards

We may acknowledge researchers with permission. A paid bug bounty programme may be introduced separately; unless explicitly published, reports are handled on a coordinated disclosure basis without guaranteed monetary rewards.

8. Contact

Security reports: security@nomaport.com

General security enquiries: hello@nomaport.com

NomaPort reduces common security and privacy risks through secure configuration, guidance and partner-supported workflows. It does not guarantee anonymity, immunity from attack, full legal compliance or complete protection against all threats.