Skip to content
nocom Solutions

Legal

Review the complete Security Policy for nocom Solutions, including vulnerability reporting, coordinated disclosure, safe harbor, and in-scope assets.

Return to homepageContact Sales
Table of ContentsJump to section
  1. nocom Solutions
  2. Security Policy
  3. Security Posture
  4. Reporting a Vulnerability
  5. Bug Bounties and Compensation
  6. Coordinated Disclosure
  7. Safe Harbor
  8. In-Scope Assets
  9. Explicitly Out of Scope
  10. Prohibited Activities
  11. Good-Faith Testing Expectations
  12. What to Include in a Report
  13. Response Targets
  14. Severity Guidelines
  15. Shared Responsibility
  16. Abuse, Enforcement, and Investigations
  17. Security Contacts
  18. Policy Changes

Security Policy

nocom Solutions

Security Policy

Effective Date: May 20, 2026

Security Posture

nocom Solutions is committed to protecting its systems, services, and customers through reasonable, industry-standard security practices. We continuously work to improve our administrative, technical, and operational safeguards, but no environment can be guaranteed to be free from vulnerabilities, malicious activity, or unauthorized access.

nocom Solutions does not currently represent that it holds SOC 2, ISO 27001, PCI DSS, HIPAA, or any other formal security certification unless expressly stated by nocom Solutions in writing. We may pursue certifications in the future, but none should be implied from this policy.

This Security Policy is intended for security researchers, cybersecurity professionals, customers, and other parties seeking to understand how to report vulnerabilities affecting nocom Solutions-owned or nocom Solutions-operated assets.

Reporting a Vulnerability

If you believe you have identified a security vulnerability affecting nocom Solutions, report it privately to:

Please do not disclose the issue publicly before nocom Solutions has had a reasonable opportunity to investigate and remediate it, or before nocom Solutions provides written authorization for public disclosure.

Please do not submit vulnerability information through public issue trackers, public forums, social media, or any other public communications channel.

nocom Solutions intends to maintain a machine-readable security contact file at its official /.well-known/security.txt locations.

Bug Bounties and Compensation

nocom Solutions does not offer a paid bug bounty, cash reward, or guaranteed compensation program unless expressly announced in writing on an official nocom Solutions property.

Submission of a report does not create any entitlement to compensation, reimbursement, public recognition, or any other benefit.

nocom Solutions may, at its sole discretion, choose to acknowledge security researchers who submit valid reports and cooperate responsibly, but no acknowledgment is guaranteed.

Coordinated Disclosure

nocom Solutions supports coordinated vulnerability disclosure.

Researchers must keep vulnerability details confidential and non-public unless and until nocom Solutions provides written approval for disclosure. nocom Solutions may approve public disclosure after remediation, mitigation, or other security measures are in place and after any additional internal or third-party coordination criteria have been satisfied.

As a condition of any approved public disclosure, nocom Solutions may require that the disclosure:

  • does not expose customer data or confidential information;
  • does not include exploit details that would create unreasonable risk of abuse;
  • accurately reflects the issue and remediation status; and
  • complies with any other written conditions provided by nocom Solutions.

Safe Harbor

If you act in good faith, comply with this Security Policy, avoid prohibited conduct, minimize privacy impact, avoid service disruption, and promptly report any suspected vulnerability to nocom Solutions, then nocom Solutions will not initiate civil legal action or refer your activity to law enforcement solely because of your compliant security research.

For purposes of this policy, compliant research conducted in accordance with this policy is considered authorized by nocom Solutions only to the extent of nocom Solutions’ own rights and authority.

This safe harbor applies only to activity that:

  • is limited to nocom Solutions-owned or nocom Solutions-operated assets that are in scope under this policy;
  • is reasonably necessary to identify and verify a suspected vulnerability;
  • does not involve data destruction, service disruption, persistence, extortion, privacy violations, or unauthorized access to customer environments; and
  • is reported to nocom Solutions without unreasonable delay.

This safe harbor does not extend to any customer, vendor, upstream provider, contractor, payment processor, analytics provider, or other third party. nocom Solutions cannot and does not authorize testing on behalf of any third party.

nocom Solutions reserves the sole right to determine whether conduct complied with this policy and whether safe-harbor treatment applies.

In-Scope Assets

This Security Policy applies only to internet-facing assets that are owned or operated by nocom Solutions and that fall within one or more of the following namespaces:

  • nocomsolutions.com
  • *.nocomsolutions.com
  • *.on-nocom.net

In-scope status under this policy does not remove any other legal, contractual, technical, or operational restrictions that may apply. Testing must remain within the limits described in this policy.

Explicitly Out of Scope

The following are expressly out of scope under this policy and are not authorized for testing by nocom Solutions:

  • customer environments, customer workloads, customer virtual machines, customer containers, customer storage, customer applications, and customer data;
  • third-party systems, services, or infrastructure, including but not limited to Stripe, Cloudflare, Google Analytics, Microsoft Clarity, and any other vendor, provider, partner, or subcontractor environment;
  • physical locations, offices, hardware, and facility security;
  • phishing, impersonation, social engineering, or pretexting involving employees, contractors, customers, or third parties;
  • attacks against personal devices, end-user devices, telecommunications systems, or accounts that are not your own;
  • any assets not owned or operated by nocom Solutions.

nocom Solutions provides no authorization to any person or entity to test customer systems. Any party seeking to test a customer environment must obtain all necessary permission directly from that customer and from any other relevant party. nocom Solutions does not grant authorization on their behalf.

nocom Solutions also provides no authorization to test third-party services. Any such authorization must be obtained directly from the applicable third party.

Prohibited Activities

The following activities are prohibited under all circumstances unless nocom Solutions provides prior written authorization:

  • denial-of-service, distributed denial-of-service, stress testing, or load testing against nocom Solutions assets;
  • automated high-volume scanning, high-rate fuzzing, or any network-intensive testing that could degrade performance or stability;
  • phishing, spearphishing, social engineering, or attempts to manipulate nocom Solutions personnel, customers, or contractors;
  • malware deployment, ransomware activity, malicious payload delivery, or command-and-control behavior;
  • installation of persistence mechanisms, backdoors, web shells, implants, or unauthorized agents;
  • credential stuffing, password spraying, use of credentials that are not your own, or retrieval or use of leaked secrets;
  • attempts to access, exfiltrate, modify, delete, corrupt, or retain customer data or confidential information;
  • destructive testing, data destruction, service disruption, or modification of production data;
  • spam, abusive messaging, unsolicited mass submissions, or disruptive automated activity;
  • post-exploit activity beyond the minimum necessary to safely demonstrate the existence of a vulnerability;
  • lateral movement, pivoting, internal enumeration beyond minimum proof, or attempts to expand access after identifying a vulnerability;
  • privacy violations, doxxing, extortion, blackmail, ransom demands, or threats of publication.

If you inadvertently access data you do not have the right to access, you must stop immediately, not retain, use, or disclose the data, and report the incident promptly to nocom Solutions.

Good-Faith Testing Expectations

Good-faith testing under this policy must be limited to the minimum actions reasonably necessary to identify and verify a suspected vulnerability on nocom Solutions systems.

Researchers are expected to:

  • use accounts, credentials, and resources they own or are expressly authorized to use;
  • avoid privacy impact and unnecessary data access;
  • avoid persistence or post-exploitation activity;
  • avoid disrupting services, users, customers, or operations;
  • provide nocom Solutions a reasonable opportunity to investigate and remediate;
  • cooperate in good faith during triage and remediation.

What to Include in a Report

To help nocom Solutions investigate and validate a report, please include as much of the following information as possible:

  • affected URL, hostname, IP address, product, service, or interface;
  • vulnerability type or category;
  • clear reproduction steps;
  • impact and security significance;
  • screenshots, logs, request and response samples, or other supporting evidence;
  • a safe proof of concept sufficient to demonstrate the issue;
  • any relevant timestamps, account identifiers, or configuration context;
  • your contact details for follow-up.

Do not include sensitive customer data unless it is strictly necessary to explain the issue. If sensitive information is unavoidable, minimize the amount shared and clearly identify it as sensitive.

Response Targets

nocom Solutions will use commercially reasonable efforts to respond to qualifying vulnerability reports in accordance with the following targets:

  • Initial acknowledgment: within 48 business hours;
  • Initial triage update: within 5 business days;
  • Further investigation and remediation timing: based on severity, complexity, exploitability, operational risk, upstream dependencies, and other relevant factors.

These timeframes are targets only, not guarantees or service-level commitments.

nocom Solutions may request additional information during investigation. Failure to provide sufficient detail may delay or prevent validation.

Severity Guidelines

nocom Solutions may prioritize and classify reported issues at its sole discretion. As a general guide, issues may be categorized as follows:

  • Critical: vulnerabilities that may enable remote code execution, authentication bypass, full account takeover, cross-tenant compromise, or similarly severe compromise;
  • High: vulnerabilities that may enable privilege escalation, significant data exposure, or material compromise of important security boundaries;
  • Medium: vulnerabilities with meaningful but constrained impact, including issues requiring specific conditions or having limited security effect;
  • Low: minor security issues, limited misconfigurations, or weaknesses with low practical impact;
  • Informational: observations, hardening suggestions, or reports that do not present a demonstrable security vulnerability.

Shared Responsibility

nocom Solutions is responsible for protecting the security of systems and services that it directly owns or operates as part of its platform environment.

Customers are responsible for the security of what they deploy, configure, manage, or control, including but not limited to:

  • operating system patching within their workloads;
  • application security;
  • software they install;
  • passwords, SSH keys, API keys, tokens, and other secrets;
  • firewall, service exposure, and workload configuration;
  • backups of their data unless expressly agreed otherwise in writing.

nocom Solutions does not provide backup services under this policy unless expressly agreed in writing.

To protect the platform and other customers, nocom Solutions may impose and enforce baseline security requirements, including minimum network or firewall standards. nocom Solutions may isolate, suspend, disable, or take offline any workload or service that fails to meet minimum security requirements or creates risk to the platform, other customers, or third parties.

Abuse, Enforcement, and Investigations

nocom Solutions may investigate abuse reports and security incidents affecting its services or infrastructure.

nocom Solutions may, at its sole discretion and without prior notice where necessary to protect the platform or others:

  • preserve, review, and use relevant logs and records for security and investigative purposes;
  • suspend, isolate, rate-limit, disable, or terminate services involved in urgent security threats or violations of this policy;
  • coordinate with customers, vendors, upstream providers, law enforcement, or other appropriate parties where legally permitted or required.

Nothing in this policy requires nocom Solutions to permit ongoing testing, maintain service availability during a security event, or disclose internal investigative details.

Security Contacts

For matters related to this Security Policy, use the following contacts:

Only security vulnerabilities should be sent to the security contact.

Policy Changes

nocom Solutions may modify, suspend, replace, or withdraw this Security Policy at any time, with or without notice.

The current version published by nocom Solutions will control.