NexusClub

The standing
posture.

The credible signal of an integration is what it does not touch. Below is what the platform does to keep member and brand data where it should be, what falls in and out of scope for security research, and how to write to us when something looks wrong. The desk reads every report, in writing, and answers in writing.

Rev. 2026-04-30 · Companion to the Letter of Authorization

Responsible disclosure

Write to security@thenexusclub.org.

Send a clear write-up: what you found, where you found it, the smallest steps that reproduce it, and the impact you observed. PGP is welcomed; the public key is published below. We acknowledge receipt within one business day and reply with a substantive read within five.

Inbox
security@thenexusclub.org
PGP key
Available on request — fingerprint published in dispatches
First reply
Within 5 business days
Resolution target
30 days from confirmation
§ I · Posture

Six things that are already true.

  1. § I·01✓ Live

    Encryption at rest.

    Long-lived OAuth tokens — Meta and Google — are encrypted with AES-256-GCM before they touch the database. Nothing else writes the plaintext.

  2. § I·02✓ Live

    Encryption in transit.

    Every edge of every page is served over TLS 1.3. HSTS is on the apex with a two-year max-age. We do not accept un-encrypted connections.

  3. § I·03✓ Live

    Sessions are HTTP-only.

    The only cookie we set is the session cookie — signed, HTTP-only, secure, same-site. No analytics cookies, no advertising cookies, no third-party trackers.

  4. § I·04✓ Live

    Passwords are not stored as text.

    Member passwords are hashed with a memory-hard function (Argon2id) before storage. We cannot read your password, recover your password, or send your password back to you. Reset is the only path.

  5. § I·05✓ Live

    Authentication is OAuth on the platform side.

    Connection to Instagram and Gmail uses Meta's and Google's official OAuth flows. We never see, store, or transmit your platform credentials.

  6. § I·06✓ Live

    Backups are encrypted.

    Daily database snapshots are encrypted at rest by the underlying storage provider; access to the snapshots is audit-logged and limited to the desk's maintenance role.

§ II · Scope

In scope, and deliberately not.

In scope —
  • thenexusclub.org and any subdomain we operate
  • The application served from the URLs above
  • API endpoints under /api/
  • OAuth callbacks under /api/auth/
  • How we store, transmit, or process member or brand data
Out of scope —
  • Member Instagram accounts.

    We do not operate Instagram. Issues with Meta's platform, with a member's account, or with the consent screen belong with Meta.

  • Third-party OAuth providers.

    Issues with Google or Meta OAuth flows belong with the respective provider. Issues in how we receive the token after OAuth are in scope.

  • Denial-of-service.

    Volumetric or rate-based attacks on the platform are not in scope and are forwarded to our infrastructure provider's abuse channel.

  • Social engineering of staff or members.

    Phishing, pretext calls, and impersonation testing of any human are out of scope and against the disclosure policy.

  • Physical or network access.

    Tailgating, badge cloning, or physical-perimeter testing of any office or data centre.

  • Reports requiring a privileged account.

    Findings reachable only with an admin account or a stolen session are out of scope; please report only what reproduces from a fresh, unauthenticated environment.

§ III · Asks

What we ask of researchers.

Security research is welcome and appreciated. The asks below are standing — they are the conditions under which a finding is read, acknowledged, and resolved without escalation.

  1. § III·01Do not access, modify, or delete data that is not your own.
  2. § III·02Do not run automated scanners that disrupt service for other members.
  3. § III·03Do not publish details of an unfixed finding.
  4. § III·04Give the desk a fair window to read, reproduce, and resolve before disclosure — typically thirty days; we will say if a longer hold is needed.
  5. § III·05If a finding requires demonstration on real data, stop at the smallest reproducible proof and write to us; do not enumerate further.

Reports filed in good faith — even those that turn out to be informational or out-of-scope — receive a written reading and a thank-you on the file. We don't operate a paid bug-bounty programme today; we acknowledge researchers in dispatches, with their permission, when a finding ships a fix.

— companion documents —

Letter of AuthorizationPrivacy policySubprocessorssecurity.txt