Nuri/Trust Center
Sign in

Security

Last updated: March 10, 2026

Reporting Security Vulnerabilities

If you believe you have discovered a security vulnerability in Nuri, we encourage you to report it responsibly. Please email security@dewitt.us with the following information:

  • A clear description of the vulnerability
  • Steps to reproduce the issue, including any tools, URLs, or request payloads used
  • Your assessment of the potential impact (e.g., data exposure, privilege escalation, denial of service)

We commit to acknowledging your report within 48 hours and will provide status updates every 5 business days until the issue is resolved or a determination is made.

Scope

The following assets are in scope for security research:

  • Nuri macOS and iOS applications
  • nuri.dewitt.us — Nuri web portal
  • nuri-api.dewitt.us — Nuri API

The following are out of scope:

  • Third-party services we use (Clerk, Neon, Anthropic, Cloudflare, Vercel, etc.) — please report vulnerabilities in those services directly to their respective security teams
  • Social engineering attacks against DeWitt Labs personnel
  • Denial of service (DoS/DDoS) attacks against our infrastructure
  • Physical attacks against our offices or data centers

Safe Harbor

DeWitt Strategic Advisors, LLC will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, provided they:

  • Do not access, modify, or delete data belonging to other users
  • Do not degrade the performance or availability of our services
  • Report findings promptly and do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them
  • Comply with all applicable laws during their research

Recognition

We appreciate the work of security researchers who help keep Nuri and our users safe. With your permission, we will credit you in our release notes when a vulnerability you reported is resolved. If you would like to be credited, please include your preferred name or handle in your report.

Bug Bounty

We do not currently operate a formal bug bounty program. However, we are open to discussing appropriate recognition for significant security findings on a case-by-case basis. If you have identified a critical vulnerability, please include any relevant context about its severity in your report.

PGP Key

If you need to encrypt your vulnerability report, contact security@dewitt.us for our PGP public key.