Security Disclosure

Reporting Contact

Send security vulnerability reports to security@nichenext.com. Send general account, content, and terms questions to support@nichenext.com.

In Scope

• The NicheNext production web app and public APIs
• Authorization bypass, data exposure, or account-impacting issues in auth, profiles, product submission, comments, votes, saves, and image upload
• Security headers, session handling, RLS/permission configuration, and upload validation issues that affect user protection

Out of Scope and Prohibited Activity

• DoS/DDoS, high-volume automated scanning, or load tests that degrade service performance
• Social engineering, phishing, spam, physical attacks, third-party services, or accounts you do not own
• Viewing, changing, deleting, downloading, or disclosing data that is not yours
• Exploitation beyond what is needed to confirm the issue, persistence, lateral movement, or secret exfiltration

What to Include

• A summary of the vulnerability and its impact
• Reproduction steps, relevant URLs/routes, HTTP requests/responses, or screenshots
• The test account and browser/environment used
• A note that testing stopped immediately if personal data or other users data appeared
• Mitigation or fix ideas if you have them

Response and Coordination

Our target for first response is within 3 business days. After triage, we will share impact and remediation plans and may ask for more detail or retesting. The first-launch MVP does not operate a public bug bounty or monetary reward program.

Disclosure and Credit

Please do not disclose vulnerability details until fixes and user protection steps are complete. If public disclosure is needed, coordinate timing and scope with us first. Researcher credit may be provided on request and as appropriate.