Security
Vulnerability disclosure policy.
We ask clients to prove their security. The same standard applies to us. If you believe you have found a vulnerability in our systems, we want to hear from you, and this page explains how.
Scope.
This policy covers systems NCA Solutions operates. It is the policy referenced by our security.txt file.
In scope
- ncacyber.com and its subdomains
- Services and applications operated by NCA Solutions on those domains
Out of scope
- Third-party platforms we use but do not operate (scheduling, hosting, CDN, email providers). Report those to the vendor concerned.
- Findings that require social engineering of our staff or partners
- Physical attacks against people, offices, or infrastructure
- Denial of service, volumetric testing, or any activity that degrades service for others
- Reports from automated scanners without a demonstrated, exploitable impact
What we ask of you.
Report privately, first
Send findings to our security address before any public disclosure, and allow us a reasonable window, ninety days as a default, to remediate before details are published.
Demonstrate, don't exploit
Access only what is necessary to prove the issue exists. Do not read, modify, or exfiltrate data that is not yours, and do not pivot deeper once impact is clear.
One issue, one report
Include the affected URL or system, reproduction steps, and your assessment of impact. Proof-of-concept material is welcome; working mass-exploitation tooling is not required.
What you can expect from us.
Reports go to security@ncacyber.com. Write in English, Somali, or Arabic.
Acknowledgement
We confirm receipt within three business days and give you a point of contact for the report.
An honest assessment
We validate the finding, tell you plainly whether we consider it a vulnerability, and keep you informed as remediation progresses.
Good faith, both ways
We will not pursue or support legal action against researchers who act in good faith, stay within this policy's scope, and give us the chance to fix what they find.
Credit, if you want it
We are glad to acknowledge your work publicly once the issue is resolved. We do not currently operate a paid bug bounty programme.
Machine-readable contact details: /.well-known/security.txt