1. Scope
This policy applies to vulnerabilities in any NextPayment-owned website, mobile application, API, or infrastructure. It does not cover third-party services we use, which should be reported to the relevant owner.
2. How to report
Send reports to security@nextpayment.com, encrypted with our published PGP key. Include a clear description of the issue, reproduction steps, and any proof-of-concept code. Do not share the finding publicly until we have confirmed a fix.
3. Safe harbour
We will not pursue legal action against researchers acting in good faith under this policy, provided you do not access or modify other users' data, do not degrade the service, and do not disclose the issue publicly before we have resolved it.
4. Rewards
We operate a bug bounty programme for qualifying vulnerabilities. Scope, rewards, and eligibility criteria are published in our trust centre.