Bug Bounty


Nimbus is committed to maintaining the security and integrity of our services. We understand that no technology is perfect, and we believe in working collaboratively with the security community to find and resolve vulnerabilities. Our bug bounty program encourages this collaboration by rewarding security researchers who provide us with high-quality security information.


This program covers the following application(s) and services:

  • Nimbus Website: https://hub.nimbus.dev

  • Nimbus API: https://api.nimbus.dev

  • Nimbus Data Pipeline

The following are explicitly out of scope:

  • Third-party services and dependencies

  • Denial of Service (DoS) attacks

  • Spam or social engineering techniques


Participants must:

  • Not be a former or current employee of Nimbus or its affiliates.

  • Not violate any laws or breach any agreements in order to discover vulnerabilities.

  • Adhere to the guidelines and scope of this program.


Nimbus provides rewards as follows:

  • Critical vulnerabilities: Up to $1000

  • High severity vulnerabilities: Up to $500

  • Medium severity vulnerabilities: Up to $200

  • Low severity vulnerabilities: Recognition in our Hall of Fame

Reward amounts are determined by the impact, ease of exploitation, and quality of the report. Decisions on reward eligibility and amounts are made by Nimbus and are final.

Submission Guidelines

To submit a vulnerability, please follow these guidelines:

  • Provide detailed steps to reproduce the vulnerability, including proof of concept (PoC) code if applicable.

  • Include your contact information for further communication.

  • Do not disclose the vulnerability publicly or to any third parties without explicit permission from Nimbus.

Submissions should be sent to security(at)nimbus.dev

Participants agree to:

  • Handle any confidential information obtained through this program responsibly.

  • Refrain from exploiting any vulnerabilities beyond what is necessary for demonstration purposes.

  • Comply with all applicable laws and regulations.

Nimbus commits to:

  • Respond promptly to submissions.

  • Not pursue legal action against researchers who adhere to this policy.

  • Work with researchers to understand and remediate reported vulnerabilities.


For questions or more information about the bug bounty program, please contact security(at)nimbus.dev.

Last updated