Skip to main content
Security and data

Vulnerability Disclosure Program Guidelines

What we're looking for and compensation details for security researchers.

Table of contents

Nextvisit AI welcomes responsible disclosure of security vulnerabilities. To focus the program on meaningful security issues, we’ve established clear guidelines on what qualifies.

Compensation policy

We do not currently provide monetary compensation for vulnerability reports. If this policy changes, we will update this page.

What we don’t accept

The following findings do not qualify for our vulnerability disclosure program:

Infrastructure and configuration issues

  • Missing security headers (CSP, X-Frame-Options, etc.) without demonstrable impact
  • SSL/TLS configuration issues, expired certificates, or support for older protocols
  • Missing HSTS headers
  • Software version disclosure or banner grabbing

Low-impact or theoretical issues

  • Scanner output without manual verification and proof of exploitation
  • Theoretical vulnerabilities lacking working proof-of-concept
  • Clickjacking on non-sensitive pages
  • Cookie flags (Secure/HttpOnly) without security impact
  • Rate limiting observations without actual impact
  • CORS misconfigurations on public resources
  • Open redirects without demonstrable harm
  • Directory listings of non-sensitive files

User interaction and social engineering

  • Self-XSS or vulnerabilities requiring victim interaction
  • Social engineering attempts
  • Issues resulting from user error (exposed API keys, weak passwords)
  • AutoComplete/password manager behavior

Authentication and access issues

  • Email spoofing (SPF/DKIM/DMARC configuration)
  • Brute force, password spraying, or credential stuffing
  • Testing against accounts you didn’t create
  • Username/email enumeration via timing attacks
  • Logout CSRF

Out-of-scope issues

  • Subdomain takeover on out-of-scope domains
  • Issues requiring pre-compromised devices/networks

What we want to hear about

If your finding demonstrates real, exploitable risk to Nextvisit AI (nextvisit.app) systems or user data that isn’t in the exclusion list above, we want to hear about it.

We’re looking for vulnerabilities that could:

  • Compromise patient data or protected health information
  • Allow unauthorized access to user accounts
  • Enable data manipulation or system compromise
  • Present genuine security risks to our platform or users

Ready to report?

Include detailed reproduction steps and explain the potential impact when submitting. This helps us understand and address legitimate security concerns quickly.

Did this help?

If something is still not working, the team is one email away.

Email hello@nextvisit.ai with the encounter ID, your workspace, and what you were trying to do. Real responses in hours, not days.

Email support Book a 15-min demo
Live in 2 weeks or less BAA signed by default 30-day money back