Skip to content
Nuro AI Labs
Try HypersaveRead AVALON-2B
Legal · Responsible disclosure

Responsible disclosure

Last updated · 27 April 2026 · Effective immediately

Security researchers make the internet safer. We want to hear from you. This policy tells you how to report a vulnerability to Nuro AI Labs Limited, what we commit to in return, and what conduct we consider out of bounds.

1 · How to report

Email security@nuroailabs.com. A useful report includes:

  • The affected asset (URL, product, endpoint, version, commit hash if applicable).
  • A clear description of the vulnerability and its impact.
  • Step-by-step reproduction (a minimal proof-of-concept beats a long write-up).
  • Your assessment of severity (CVSS or rough severity is fine).
  • How you would like to be credited — or whether you prefer to remain anonymous.

For sensitive details, request our PGP key in your first email and we'll send the public key by return. Please do not post vulnerability details to public channels (X, GitHub Issues, Hacker News, blog posts) before we've had a chance to remediate.

2 · Our commitments

  • Acknowledgement within 48 hoursof receiving your report (business days; we'll usually be faster).
  • A triage decision within 5 business days, including a preliminary severity, an assigned owner, and a target remediation window.
  • Regular status updates until the issue is resolved — at least every 14 days.
  • Coordinated disclosure within 90 days of report intake. We prefer to publish a write-up jointly with the reporter once the fix is deployed and customers have a reasonable upgrade window. We may request an extension for systemic issues; we will not extend the window beyond 120 days without your agreement.
  • Public credit in our security advisory and on our researcher hall-of-fame, unless you prefer otherwise.
  • No legal action against good-faith research conducted under the safe-harbour terms below.

3 · Safe harbour

We consider security research conducted in line with this policy to be:

  • Authorised under the Computer Misuse Act 1990 and equivalent laws.
  • Authorised under our Terms of use and our products' terms of service, which would otherwise prohibit such testing.
  • Exempt from any DMCA-style anti-circumvention provisions where applicable.
  • Conducted in good faith and exempt from the prohibitions in our Usage policy.

We will not pursue or support any legal action against you for accidental, good-faith violations of this policy. If a third party brings legal action against you for activity that complied with this policy, we will make our authorisation known.

If you are unsure whether a particular activity falls inside this safe harbour, ask first: security@nuroailabs.com.

4 · Scope

In scope

  • nuroailabs.com and all sub-paths.
  • Hypersaveplatform.hypersave.io, the public API surface, and the official TypeScript and Python SDKs.
  • Khyaakhyaa.com and the Khyaa application.
  • Nuro Chatnuro.chat.
  • Nuro Studiostudio.nuro.one.
  • Nuro Onenuro.one.
  • Mobile apps published under the Nuro AI Labs / Khyaa / Nuro publisher accounts.
  • Open-weights releases (e.g. AVALON-2B) — for safety and security issues in the model itself.

Out of scope

  • Findings from automated scanners with no demonstrated impact.
  • Volumetric attacks, denial of service, or any test that materially degrades availability for other users.
  • Social engineering of Nuro AI Labs employees, contractors or customers.
  • Physical attacks against Nuro AI Labs facilities or hardware.
  • Self-XSS or attacks requiring full prior compromise of the victim's device.
  • Missing security headers without a demonstrated, exploitable impact.
  • Email spoofing for domains we don't actively send from (no SPF/DKIM/DMARC) — please report once but expect a low-severity classification.
  • Issues in third-party services, libraries or platforms we don't control — please report directly to that vendor.
  • Outdated software with no demonstrated exploit path.
  • Theoretical vulnerabilities without a working proof-of-concept.

5 · Rules of engagement

  • Use test accounts and synthetic data wherever possible. Do not access, modify or exfiltrate other users' data.
  • If you incidentally access another user's data, stop, delete it, and tell us in your report.
  • Do not pivot from a foothold to internal systems beyond the scope of demonstrating impact.
  • Rate-limit your testing. Do not run concurrent fuzzing or scraping that could affect availability.
  • Do not extort, threaten or attempt to monetise findings outside this disclosure process.

6 · Bounties

We do not currently operate a paid bug-bounty programme. We do offer recognition (public credit, researcher hall-of-fame, occasional swag) and we will revisit paid bounties as our customer footprint grows. We will not penalise you for finding something serious before that programme exists.

7 · Contact

security contacttext
security@nuroailabs.com
PGP: available on request
Acknowledgement SLA: 48 hours
Coordinated disclosure window: 90 days

Thank you for helping us keep our users — and the wider AI ecosystem — safer.