Responsible Disclosure Policy
Nixer is committed to responsible security research. We work with vendors and open-source maintainers to coordinate disclosure of AI agent vulnerabilities before public release.
90-Day Coordinated Disclosure
We follow a time-limited coordinated disclosure process. Once we identify a vulnerability in an AI agent framework, library, or tool, we open a 90-day disclosure window:
Day 0 — Initial Discovery
Nixer identifies a vulnerability and opens the disclosure window. A draft advisory is prepared (not yet published).
Days 1–30 — Vendor Notification
We contact the affected vendor or maintainer with full technical details and a proposed patch timeline.
Days 30–60 — Patch Development
Vendor works on a fix. We monitor progress and provide technical guidance where helpful.
Days 60–90 — Coordinated Release
Vendor ships a patch. We publish the full advisory simultaneously with a public fix available.
Day 90+ — Full Public Disclosure
If a vendor does not respond or fails to produce a fix, we publish the advisory at 90 days regardless — with mitigation steps and workarounds.
Submit a Vulnerability
If you've found a vulnerability in an AI agent framework and believe it should go through our coordinated disclosure process, contact us directly.
We accept submissions for:
- Undisclosed vulnerabilities in popular AI agent frameworks
- Supply chain risks (dependency confusion, malicious packages, etc.)
- MCP server misconfigurations and auth bypasses
- Prompt injection vulnerabilities with real-world exploit paths
Security Contact
For coordinated disclosure submissions, vendor notifications, or questions about our process:
security@nixer.ioHall of Fame
Researchers who contribute to coordinated disclosures are credited here. Disclosure submissions are kept anonymous unless credit is explicitly requested.