Skip to content
NANOTESTINGNANOTESTING

Security disclosure

Responsible disclosure

Effective May 14, 2026 · Sodasoft LLC (30 N Gould St, Sheridan, Wyoming 82801, United States)

NANOTESTING (operated by Sodasoft LLC) ships a security product, so we take security reports against our own platform seriously. This page is our binding pledge to the researchers who help us.

Where to send reports

Email security@nanotesting.com with a clear technical writeup. Encrypt with our PGP key from nanotesting.com/.well-known/security.txt if the report contains data sensitive to a third party. Expect an acknowledgement within one business day and a triage decision within five business days.

Safe harbour

We will not pursue civil or criminal action, nor request law enforcement to do so, for good-faith research that:

  • Stays within the in-scope assets listed below;
  • Does not exfiltrate, retain, modify, or destroy customer data beyond the minimum necessary to demonstrate the issue;
  • Does not interrupt service for other users (no DoS, no aggressive fuzzing);
  • Does not disclose the issue publicly before we have had a reasonable opportunity to remediate (typically 90 days from first contact, sooner if we acknowledge and request).

This safe harbour applies to research against systems we operate. It does not grant permission to test third-party systems referenced from our infrastructure.

In-scope

  • nanotesting.com
  • www.nanotesting.com
  • Any subdomain of nanotesting.com we control
  • The Vercel deployment behind the production domains
  • The Supabase project the production environment connects to (read-only RLS-respecting probes only; do not attempt schema modification)
  • The Fly.io worker fleet (vulnerabilities reachable through the Service's normal job-submission flow)
  • Customer-facing PDFs and signed download URLs

Out of scope

  • Findings that require a non-default Vercel / Supabase / Fly account
  • Social engineering of NANOTESTING staff or vendors
  • Physical security of the office or data centres
  • Findings against third-party services we depend on (please report those directly to the vendor)
  • Reports demanding payment in advance (sextortion-style shakedowns) or that withhold details until paid
  • Brute-force / credential-stuffing attempts against our auth endpoints

Examples of qualifying issues

  • Authentication / session-management bypass
  • RLS policy bypass that exposes another organisation's data
  • Stored / reflected XSS, CSRF on state-changing endpoints
  • SSRF reachable from a worker probe
  • RCE on any infrastructure component
  • Privilege escalation between roles (viewer -> owner, etc.)
  • Information disclosure of unsealed customer secrets
  • Payment / billing bypass
  • Vulnerabilities in our open-source dependencies that we have not yet patched and that affect production

Rewards

We are not currently running a paid bug-bounty programme. We offer:

  • Public acknowledgement on this page (with researcher consent)
  • A reference letter for the researcher's portfolio
  • Service credit on the Growth plan for 12 months (1 year free NANOTESTING) for any Critical or High finding that we accept and patch
  • Cash bounty consideration for findings rated Critical by us; paid on a discretionary basis via Stripe, capped at USD 2,500 per finding pending an external program rollout in 2026

Duplicate reports are credited to the first complete writeup we receive.

Disclosure timeline

  1. T+0: Researcher emails security@nanotesting.com.
  2. T+1 business day: We acknowledge.
  3. T+5 business days: We triage and propose remediation timeline.
  4. T ≤ 90 days: We deploy a fix. We provide weekly status if remediation will exceed 30 days.
  5. T+90 days or after fix: Coordinated public disclosure with researcher credit, unless mutual agreement to extend.

Hall of fame

Researchers who have helped us harden the Service:

  • (Will be populated as reports are accepted.)

Contact

Security: security@nanotesting.com
Policy file: /.well-known/security.txt