Security and Responsible Disclosure
Cecure Intelligence Limited (“CIL”) takes the security of the NCLOPS public website and associated infrastructure seriously. This page summarises baseline technical controls and explains how security researchers and the public can report vulnerabilities responsibly.
Emergency or active incident? If you believe data is actively being exfiltrated or systems are being disrupted, include “URGENT” in the subject line when emailing nclops@cil.support and provide timestamps, affected URLs, and indicators of compromise where safe to do so.
1. Baseline security measures (public website)
Depending on environment configuration, controls typically include:
- Transport security — TLS (HTTPS) for visitor connections.
- Edge protection — content delivery network features such as DDoS mitigation and managed rule sets where enabled.
- HTTP security headers — for example policies that reduce common browser attacks (exact values vary by deployment).
- Least-privilege hosting — static origin buckets with origin access controls; minimal publicly exposed APIs.
- CAPTCHA on contact submission — to reduce automated abuse of the contact pipeline.
- Patching and dependency hygiene — build pipelines and periodic reviews for the website codebase.
2. What is in scope for this disclosure process
We welcome reports concerning:
- Vulnerabilities in the NCLOPS public website (nclops.com and published dev/test public hostnames) that could affect confidentiality, integrity, or availability;
- Misconfiguration of public DNS, TLS certificates, or CloudFront/S3 policies that expose non-public data;
- Issues in the contact submission path (for example injection, authentication bypass on admin-only surfaces if exposed by mistake).
3. What is out of scope or handled elsewhere
- NCLOPS platform deployments on nclops.net or customer domains may have separate security contacts under contract; do not assume this page governs them.
- Social engineering of individuals, physical attacks, or spam to the contact form.
- Automated scanning that degrades service, or credential stuffing using leaked third-party passwords.
- Reports that only demonstrate missing security headers without a plausible exploit path, or purely informational TLS cipher preferences, unless tied to a known vulnerability class.
4. Responsible disclosure expectations
Please:
- Give us reasonable time to investigate and remediate before public disclosure (we aim to acknowledge within five (5) business days for valid reports);
- Avoid accessing, modifying, or deleting data that does not belong to you; use controlled proof-of-concept steps;
- Do not exfiltrate personal data; if you accidentally encounter it, stop and report at a high level;
- Preserve confidentiality of report details until we confirm remediation or mutually agree publication.
We do not promise a bounty programme by default; recognition may be offered at CIL’s discretion.
5. What to include in your report
- Affected URL(s) and environment (production, test, dev);
- Step-by-step reproduction instructions and, if helpful, redacted screenshots or HTTP traces;
- Your assessment of impact and severity;
- Contact details for follow-up questions.
6. Legal
We will not pursue legal action against researchers who comply with this process and applicable law. Unlawful access remains prohibited.
7. Contact
Send security reports to nclops@cil.support. This address is the correspondence hub for NCLOPS public-site security coordination; we may route internally to dedicated security responders.