# Nouva — Responsible Vulnerability Disclosure
# Issued by: Unique President Ltd (company number 12171298), trading as Nouva.
# https://nouva.app/

Contact: mailto:security@uniquepresident.com
Contact: mailto:nouva@uniquepresident.com
Expires: 2027-04-25T00:00:00.000Z
Preferred-Languages: en
Canonical: https://nouva.app/.well-known/security.txt
Policy: https://nouva.app/privacy-policy

# Scope
# In scope: the Nouva mobile application (iOS and Android), the Nouva website
# at nouva.app, and the Firebase / Google Cloud infrastructure operated by
# Unique President Ltd in support of the App.
# Out of scope: third-party services we use as sub-processors (Google Cloud,
# Firebase, RevenueCat, Fal.ai, OpenAI, Pinecone, etc.) — please report
# vulnerabilities in those services to the relevant provider directly.

# How to report
# Email security@uniquepresident.com (or nouva@uniquepresident.com if the
# security alias is unavailable) with:
#   - a description of the vulnerability;
#   - reproduction steps and any proof-of-concept material;
#   - your contact details if you would like a follow-up;
#   - whether you would like to be credited in our acknowledgements.
# We will acknowledge receipt within 5 business days. We aim to triage
# within 10 business days and to provide a remediation update within
# 30 days for confirmed issues. We do not currently operate a paid bug
# bounty programme.

# Safe harbour
# We will not pursue legal action against researchers who:
#   - act in good faith and avoid privacy violations, data destruction,
#     or service degradation;
#   - test only on accounts they own or for which they have explicit
#     written permission;
#   - give us a reasonable opportunity to remediate before any public
#     disclosure;
#   - do not exploit a vulnerability beyond the minimum necessary to
#     demonstrate it.