NextPKI
Security and Vulnerability Disclosure
We sell certificate lifecycle management. Our own security baseline has to set the example.
Reporting a vulnerability
Email security@nextpki.com, encrypted with our PGP key (fingerprint: to be published).
A machine-readable version is at /.well-known/security.txt per RFC 9116.
Scope
In scope:
*.nextpki.com- The open-source sensor (source available at our GitHub organisation)
- The NextPKI console and API
Out of scope:
- Third-party services we use (please report to them directly)
- Findings that require physical access, social engineering, or denial of service
- Self-XSS and missing security headers on non-production hosts
Safe harbour
Good-faith security research conducted under this policy will not result in legal action from Datargo GmbH. We ask that you:
- Make a good-faith effort to avoid privacy violations, data destruction, and service interruption
- Give us reasonable time to fix issues before public disclosure (90 days by default)
- Do not access more data than is necessary to demonstrate the issue
Response targets
- Triage acknowledgement: 5 business days
- Initial severity assessment: 10 business days
- Coordinated disclosure window: 90 days from acknowledgement, extendable by mutual agreement
Acknowledgements
We maintain a hall of fame for researchers who report valid vulnerabilities. Listed with your consent.
No bug bounty programme yet. We expect to launch one in 2027 once the pilot phase concludes.