Skip to main content
NCASolutions

Security

Vulnerability disclosure policy.

We ask clients to prove their security. The same standard applies to us. If you believe you have found a vulnerability in our systems, we want to hear from you, and this page explains how.

security@ncacyber.com

Scope.

This policy covers systems NCA Solutions operates. It is the policy referenced by our security.txt file.

In scope

  • ncacyber.com and its subdomains
  • Services and applications operated by NCA Solutions on those domains

Out of scope

  • Third-party platforms we use but do not operate (scheduling, hosting, CDN, email providers). Report those to the vendor concerned.
  • Findings that require social engineering of our staff or partners
  • Physical attacks against people, offices, or infrastructure
  • Denial of service, volumetric testing, or any activity that degrades service for others
  • Reports from automated scanners without a demonstrated, exploitable impact

What we ask of you.

Report privately, first

Send findings to our security address before any public disclosure, and allow us a reasonable window, ninety days as a default, to remediate before details are published.

Demonstrate, don't exploit

Access only what is necessary to prove the issue exists. Do not read, modify, or exfiltrate data that is not yours, and do not pivot deeper once impact is clear.

One issue, one report

Include the affected URL or system, reproduction steps, and your assessment of impact. Proof-of-concept material is welcome; working mass-exploitation tooling is not required.

What you can expect from us.

Reports go to security@ncacyber.com. Write in English, Somali, or Arabic.

Acknowledgement

We confirm receipt within three business days and give you a point of contact for the report.

An honest assessment

We validate the finding, tell you plainly whether we consider it a vulnerability, and keep you informed as remediation progresses.

Good faith, both ways

We will not pursue or support legal action against researchers who act in good faith, stay within this policy's scope, and give us the chance to fix what they find.

Credit, if you want it

We are glad to acknowledge your work publicly once the issue is resolved. We do not currently operate a paid bug bounty programme.

Machine-readable contact details: /.well-known/security.txt