NearCircle
Security

Security at NearCircle.

If you've found a security issue, we want to hear about it. Good-faith researchers are welcome — we'll acknowledge your report, keep you in the loop, and credit you publicly if you want.

In scope

  • nearcircle.net — this marketing site and any /api/* endpoints it exposes
  • gawawgjozrhytrybglsd.supabase.co — the app's Supabase project
  • The iOS app bundle com.web3bit.nearcircle

Out of scope

  • Social engineering of our team, contractors, or users
  • Physical attacks against our offices or hardware
  • Denial-of-service or volumetric DDoS testing
  • Issues in the Supabase or Vercel platform themselves (report those to the respective vendors)
  • Already-disclosed iOS or Apple platform vulnerabilities

How to report

Email security@nearcircle.net with the subject prefix [nc-vdp]. Please include:

  • A clear description of the issue and its impact
  • Steps to reproduce (ideally a minimal proof-of-concept)
  • Affected endpoint, build, or app version
  • Whether you'd like public credit once the issue is resolved

Response SLA

  • Acknowledgement within 72 hours of your initial report
  • Initial triage and severity assessment within 7 days
  • Regular status updates until the issue is closed

Safe harbor

We will not pursue legal action against researchers who act in good faith, stay within the scope described above, avoid degrading our service for others, and do not access, exfiltrate, modify, or retain user data beyond what is minimally necessary to demonstrate a vulnerability. If you're unsure whether something is in scope, ask first.

Rewards

We do not operate a formal bug-bounty program yet. For meaningful findings, we evaluate rewards case-by-case — typically a thank-you, public credit, and at our discretion a gratuity for impactful reports.

Machine-readable

This policy is also published per RFC 9116 at /.well-known/security.txt.

Last updated: April 23, 2026