/advisories/policy

Responsible Disclosure Policy

Nixer is committed to responsible security research. We work with vendors and open-source maintainers to coordinate disclosure of AI agent vulnerabilities before public release.

90-Day Coordinated Disclosure

We follow a time-limited coordinated disclosure process. Once we identify a vulnerability in an AI agent framework, library, or tool, we open a 90-day disclosure window:

Day 0 — Initial Discovery

Nixer identifies a vulnerability and opens the disclosure window. A draft advisory is prepared (not yet published).

Days 1–30 — Vendor Notification

We contact the affected vendor or maintainer with full technical details and a proposed patch timeline.

Days 30–60 — Patch Development

Vendor works on a fix. We monitor progress and provide technical guidance where helpful.

Days 60–90 — Coordinated Release

Vendor ships a patch. We publish the full advisory simultaneously with a public fix available.

Day 90+ — Full Public Disclosure

If a vendor does not respond or fails to produce a fix, we publish the advisory at 90 days regardless — with mitigation steps and workarounds.

Submit a Vulnerability

If you've found a vulnerability in an AI agent framework and believe it should go through our coordinated disclosure process, contact us directly.

We accept submissions for:

  • Undisclosed vulnerabilities in popular AI agent frameworks
  • Supply chain risks (dependency confusion, malicious packages, etc.)
  • MCP server misconfigurations and auth bypasses
  • Prompt injection vulnerabilities with real-world exploit paths

Security Contact

For coordinated disclosure submissions, vendor notifications, or questions about our process:

security@nixer.io

Hall of Fame

Researchers who contribute to coordinated disclosures are credited here. Disclosure submissions are kept anonymous unless credit is explicitly requested.

No researchers credited yet — check back after our first coordinated disclosure cycle completes.
Back to Advisories Scan your repo