Responsible disclosure, real rewards
Find a vulnerability
Test our in-scope systems within the rules. No production abuse.
Report privately
Send details to retranex@nexchat.retranex.com. We'll respond within 72 hours.
Get rewarded
We fix, you get paid. Rewards based on severity and impact.
In scope vs out of scope
In scope
NexChat (nexchat.retranex.io, widget, API)
Out of scope
Third-party integrations, social engineering
In scope
NexBill (billing.retranex.com, API)
Out of scope
Client-hosted instances
In scope
Retranex website (retranex.com)
Out of scope
Out-of-scope infrastructure
Reward ranges by severity
| Severity | Reward | Examples |
|---|---|---|
| Critical | £500 – £2,000 | RCE, auth bypass, mass data exposure |
| High | £200 – £500 | SQLi, XSS with account takeover, IDOR |
| Medium | £50 – £200 | Stored XSS, CSRF with impact, info disclosure |
| Low | £25 – £50 | Reflected XSS, minor info leak |
Final reward amounts depend on impact, clarity of report, and whether the issue was previously known. We reserve the right to adjust rewards at our discretion.
Stay within the rules
- • Do not access, modify, or delete data that isn't yours.
- • Do not perform denial-of-service or resource-exhaustion attacks.
- • Do not test on production with real user data without permission.
- • Report in good faith. No extortion or threats.
- • Give us reasonable time to fix before public disclosure.
Safe harbor: We will not pursue legal action against researchers who follow these rules and act in good faith. We may work with law enforcement if we detect malicious activity.
Report a vulnerability
Email retranex@nexchat.retranex.com with a clear description, steps to reproduce, and impact. Include PGP key if you use encrypted email.