01
Submit
Send a clear report with affected surface, impact, reproduction steps, and evidence.
Open Program
Safe Harbor
P0 24H Triage
Find bugs in Nixtla get rewards.
Help secure Nixtla, TimeGPT, and the open forecasting ecosystem before risks reach production.
01 - Program Scope
Surfaces where careful research helps most.
Focus on vulnerabilities that could affect TimeGPT workflows, customer operations, open source packages, or the public Nixtla web experience.
Out of scope: social engineering, spam, physical access, denial-of-service testing, and third-party systems outside Nixtla control.
TimeGPT & API
- Acceptable Research
- API endpoints, auth, rate limits, logic flaws, data handling
- Examples
- Broken access control, IDOR, injection, auth bypass
- Exclusions
- Do not test rate limits at scale or degrade availability
Platform
- Acceptable Research
- Accounts, dashboards, billing flows, integrations, content delivery
- Examples
- Privilege escalation, stored XSS, insecure references
- Exclusions
- Do not test production payment flows with real transactions
Nixtla.io
- Acceptable Research
- Marketing site, forms, redirects, static assets, public endpoints
- Examples
- Open redirects, sensitive file exposure, header injection
- Exclusions
- Do not test third-party services or links outside nixtla.io
Open Source
- Acceptable Research
- Public repos, libraries, examples, documentation, tooling
- Examples
- Unsafe dependencies, insecure examples, path traversal
- Exclusions
- Do not open public PRs with exploit details before coordination
02 - Report Flow
A direct path from signal to fix.
Simple steps from first report to researcher credit. We aim for clarity, speed, and fair recognition.
02
Triage
We acknowledge the report and prioritize it by reach, exploitability, and harm.
03
Validate
The issue is reproduced, scoped, and mapped to a practical remediation path.
04
Reward
Eligible reports are reviewed for severity, quality, novelty, and remediation help.
05
Credit
Researchers can receive public credit after coordinated disclosure is complete.
03 - Rewards
Impact decides the tier.
Rewards are based on practical risk, report quality, exploitability, affected surface, and remediation value.
Nixtla determines final severity, eligibility, and reward amount at its discretion.
| Severity | Qualifying Impact | Examples | Reward Range | Triage |
|---|---|---|---|---|
| Critical [P0] | Full system compromise or unauthorized broad data access | RCE, admin takeover, mass secret exposure | $5,000 - $10,000+ | 24 hours |
| High [P1] | Significant impact requiring limited interaction | Privilege escalation, auth bypass, sensitive exposure | $500 - $5,000 | 48 hours |
| Medium [P2] | Limited impact or partial compromise | Stored XSS, IDOR with low impact, information disclosure | $100 - $500 | 3 days |
| Low [P3] | Minor issue with limited security impact | Reflected XSS, weak headers, minor misconfiguration | $25 - $100 | 7 days |
04 - Rules And Safe Harbor
Test responsibly. Report privately.
These rules protect researchers, customers, and Nixtla systems while allowing useful security work to move quickly.
Safe Harbor
We will not pursue claims for eligible good-faith research.
If you follow the rules and avoid harm, we will work with you to review, validate, and remediate the report.
/ Ask A Question +Good-faith testing only
Test only systems and accounts you own or have explicit permission to use.
Avoid customer data
Do not access, modify, retain, or exfiltrate customer or personal data.
No social engineering
Do not attempt phishing, vishing, baiting, employee targeting, or physical intrusion.
Respect availability
Do not perform attacks that degrade, disrupt, or test service capacity.
Coordinated disclosure
Report privately and wait for a coordinated disclosure window before publishing.
Respect legal boundaries
Comply with all laws and stay inside the published program scope.
Ready to report
Found something real? Send us the report.
Share the affected surface, security impact, reproduction steps, and evidence so we can validate the issue quickly.