STATUS: DRAFT currently in legal counsel review. Counsel-finalized version published within 14 days of website launch.

Responsible-Disclosure Policy. English is the authoritative version; eine deutsche Fassung ist auf Anfrage erhältlich (info@nextx.ch). Last updated: 2026-05-18.

Security & Responsible Disclosure Policy

1. Our commitment

nextX AG takes the security of its products, infrastructure, and website seriously. We welcome reports from security researchers and the wider community. If you believe you have found a security vulnerability in any nextX system, please report it to us using the process below. We will treat your report confidentially and will work with you in good faith.

2. Scope

This policy covers:

  • The website https://nextx.ch and all subdomains operated by nextX AG.
  • The nextX API endpoints documented under /api and /docs.
  • Container images and software artefacts officially published by nextX AG (e.g. on a registry under the nextx namespace).
  • Sample code and reference deployments published in repositories owned by nextX AG.

Out of scope:

  • Third-party services we do not control (e.g. Netlify infrastructure itself, GitHub, our email provider). Please report such issues to the respective vendor.
  • Findings that require physical access, social engineering of nextX staff, or non-technical attacks.
  • Theoretical vulnerabilities without a demonstrable impact.
  • Reports generated solely by automated scanners without analyst validation.
  • Volumetric denial-of-service testing (please coordinate in advance if you wish to test).

3. How to report

Please send your report to info@nextx.ch.

If you would like to encrypt your report, our PGP public key is published at:

  • https://nextx.ch/.well-known/pgp-key.txt
  • [counsel-review: devops: publish PGP key before launch or remove this line.]

Please include in your report:

  1. A clear description of the vulnerability.
  2. The exact affected URL, endpoint, package, or asset.
  3. Steps to reproduce (proof-of-concept, ideally minimal).
  4. Your assessment of the impact (confidentiality / integrity / availability).
  5. Any mitigations or workarounds you have identified.
  6. Your name or handle for credit (or a request to remain anonymous).

We accept reports in English or German.

4. Our commitments to you

When you submit a report in good faith and within this policy:

  • We will acknowledge receipt within 3 business days.
  • We will provide an initial assessment within 10 business days.
  • We will keep you informed of remediation progress.
  • We will coordinate any public disclosure timing with you.
  • We will not initiate or support legal action against you for good-faith research that complies with this policy.

We do not currently operate a paid bug-bounty programme. [counsel-review: to be confirmed within 14 days] At our discretion we may publicly credit reporters in a security.txt-linked Hall of Fame at /security.

5. Safe-harbour expectations from researchers

When researching, please:

  • Act in good faith and avoid harm to nextX, our customers, our users, or our infrastructure.
  • Only interact with accounts and data that belong to you, or that you have explicit permission to test.
  • Do not exfiltrate or retain confidential data beyond the minimum needed to demonstrate the vulnerability. Securely delete any such data after reporting.
  • Do not perform destructive actions (data deletion, denial of service, persistent backdoors, ransomware-style behaviour).
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate (default coordination window: 90 days from acknowledgement, unless a shorter or longer window is mutually agreed).
  • Comply with all applicable laws, including Swiss criminal law (in particular Art. 143, 143bis, 144bis, 147 StGB).

Reports made in good faith and within this policy will be treated as authorised research; we will not pursue claims under Swiss criminal law or applicable computer-misuse statutes against you, and we will defend the same in good faith should a third party attempt to do so.

6. After remediation

Once a vulnerability is remediated:

  • We will notify you and confirm the fix.
  • We may publish a security advisory at /security and, where appropriate, in a CHANGELOG.md for the affected artefact.
  • We will, with your consent, credit you publicly.

7. Contact

  • Reports: info@nextx.ch
  • General contact: info@nextx.ch
  • Public policy URL: https://nextx.ch/security
  • Machine-readable record: https://nextx.ch/.well-known/security.txt (RFC 9116)

Eine deutsche Fassung dieser Policy ist auf Anfrage unter info@nextx.ch erhältlich.

Version: 2026-05-18 — DRAFT for counsel review.

Counsel-Pass deadline: 2026-06-01