Logo
Menu
Start Building
Talk to Experts
Menu
Logo

Start Building

Talk to experts

Logo
Menu
Start Building
Talk to Experts
Logo
Talk to Experts
Start Building

Back

Legal & Governing

Account & Finance

Data & Privacy

Service & AI Use

Vulnerability Policy

Effective Date: 25 January 2025

Issued By: Nuvra Limited (Masdar City Free Zone, Abu Dhabi, UAE)

Contact: security@nuvra.agency

1. PURPOSE AND SCOPE

1.1 This Vulnerability Disclosure Policy (“Policy”) establishes the authorized process for reporting, evaluating, and remediating security vulnerabilities affecting the Vibe Coding Platform (“Platform”) operated by Nuvra Limited (“Nuvra”, “Nuvra Tech”, “Company”, “we”, “our”).

1.2 This Policy applies to:

  • independent security researchers;
  • Users;
  • third-party partners;
  • vendors;
  • any individual who identifies or suspects a vulnerability within Company systems.

1.3 This Policy governs vulnerability reporting only. It does not authorize penetration testing, exploitation, or intrusive actions without explicit written permission.

2. LEGAL FRAMEWORK AND SAFE PRACTICES

2.1 UAE law strictly prohibits:

  • unauthorized access to computer systems;
  • modification or destruction of digital information;
  • circumvention of security measures;
  • dissemination of malware;
  • disruption of services.

2.2 Nuvra Tech supports responsible disclosure and will not pursue legal action against individuals who comply with this Policy, act in good faith, and avoid prohibited activities.

2.3 Actions conducted outside this Policy may constitute criminal offenses under UAE Cybercrime Law.

3. AUTHORIZED VULNERABILITY REPORTING

3.1 Individuals who identify a suspected vulnerability must report it promptly and confidentially to: security@nuvra.agency

3.2 Reports must include:

  • detailed description of the vulnerability;
  • steps to reproduce;
  • affected systems, URLs, or components;
  • potential impact assessment;
  • relevant screenshots, logs, or technical data;
  • researcher contact information.

3.3 All submissions are treated as confidential security communications.

4. PROHIBITED ACTIVITIES

Under no circumstances may researchers or Users:

  1. exploit or weaponize vulnerabilities;
    b. exfiltrate, modify, or delete data;
    c. access personal data or confidential information;
    d. conduct denial-of-service (DoS or DDoS) attacks;
    e. engage in social engineering against employees or customers;
    f. deploy automated scanners that degrade system performance;
    g. attempt to access accounts, Tokens, or Platform features not belonging to them;
    h. use vulnerabilities to copy Company IP or proprietary code;
    i. violate any applicable UAE law.

Violations may result in legal action and immediate account termination.

5. RESEARCH PRINCIPLES OF CONDUCT

Researchers must adhere to the following principles:

5.1 Good Faith Intent
Research must aim to enhance security, not to compromise it.

5.2 No Harm or Disruption
Testing must not disrupt services or harm system functionality.

5.3 Minimal Access
Access only the minimum data necessary to demonstrate the vulnerability.

5.4 No Persistence
Do not maintain access beyond what is required for reporting.

5.5 Immediate Reporting
Vulnerabilities must be reported promptly and privately.

5.6 Confidentiality
Do not publicly disclose vulnerabilities without explicit written permission from Nuvra Tech.

6. COMPANY COMMITMENTS AND RESPONSE PROCESS

Upon receiving a vulnerability report, Nuvra Tech shall:

6.1 Acknowledge Receipt
Within 5 business days.

6.2 Evaluate the Report
Classify its severity based on likelihood and impact.

6.3 Engage with the Researcher
Request clarifications or additional information as needed.

6.4 Remediate the Vulnerability
Within a reasonable and prioritized timeframe based on severity.

6.5 Confirm Resolution
Notify the researcher once remediation is complete.

6.6 Credit (Optional)
At the Company’s discretion, public acknowledgement may be provided after resolution, subject to confidentiality considerations.

7. SEVERITY CLASSIFICATION

Vulnerabilities are classified as follows:

7.1 Critical Severity

  • Full system compromise
  • Unauthorized access to sensitive data
  • Remote code execution
  • Token bypass or privilege escalation

7.2 High Severity

  • Significant security control bypass
  • Elevated access to non-sensitive areas
  • High-impact configuration errors

7.3 Medium Severity

  • Improper access controls
  • Resource exhaustion risks
  • Minor leakage of non-sensitive data

7.4 Low Severity

  • Cosmetic issues
  • URL manipulation without impact
  • Non-sensitive error messages

8. REPORTER ELIGIBILITY

To be protected under this Policy’s safe-harbor provisions, reporters must:

  1. comply fully with this Policy;
    b. avoid accessing personal or confidential data;
    c. refrain from public disclosure;
    d. not demand compensation or payment;
    e. behave ethically and professionally.

Failure to adhere to these requirements may invalidate protections.

9. OUT-OF-SCOPE FINDINGS

The following do not qualify as vulnerabilities:

  • recommendations for UI/UX improvement;
  • missing HTTP security headers without exploitability;
  • exposure of non-sensitive public data;
  • rate-limiting suggestions;
  • issues in third-party tools outside Company control;
  • findings that require physical access or social engineering.

10. RESPONSIBLE DISCLOSURE & PUBLICATION

10.1 Researchers may not publish, share, or disclose vulnerability details until:

  • Nuvra Tech confirms resolution; and
  • receives written permission for public disclosure.

10.2 Unauthorized disclosure constitutes a violation of:

  • this Policy;
  • Terms of Service;
  • UAE Cybercrime Law.

11. NO COMPENSATION

11.1 Nuvra Tech does not offer monetary rewards, bounties, or compensation for vulnerability reports unless explicitly stated in future programs.

11.2 Submission of vulnerabilities does not create:

  • contractual obligations;
  • employment relationships;
  • fiduciary duties.

12. LIABILITY LIMITATIONS

12.1 Nuvra Tech shall not be liable for:

  • delays in responding to reports;
  • disputes over severity classifications;
  • actions by individuals who do not follow this Policy.

12.2 Reporters violating UAE law lose all protections immediately.

13. AMENDMENTS

Nuvra Tech may amend this Policy at any time to reflect:

  • cybersecurity developments;
  • legal changes;
  • operational needs.

Revised versions shall take effect upon publication.

14. GOVERNING LAW

This Policy is governed by:

  • UAE Federal Laws, including Cybercrime and PDPL;
  • Laws of the Emirate of Abu Dhabi;
  • Masdar City Free Zone regulations.

15. CONTACT INFORMATION

For vulnerability reports or security concerns:

Nuvra Limited
Masdar City Free Zone

Abu Dhabi, United Arab Emirates

security@nuvra.agency

Logo

Nuvra is a software creation ecosystem combining AI-Powered self-serve building with expert-led development.

Built for MENAT. Ready for Global Scale.

Linkedin X-twitter Facebook Instagram Youtube

Products

Solutions & Resources

Copyright 2026 Nuvra Limited

Logo

Nuvra is a software creation ecosystem combining AI-Powered self-serve b uilding with expert-led development.

Built for MENAT. Ready for Global Scale.

Products

Solutions & Resources

Company

Contact

Trust Center

Copyright 2026 Nuvra Limited

Linkedin X-twitter Facebook Instagram Youtube