Skip to main content
LeaderboardLearnCompanyBlogContact
Sign In

Code of Conduct

Researcher Guidelines and Platform Rules

Last updated: November 11, 2025

1. Introduction

Welcome to NidFul, a platform connecting ethical hackers and security researchers with organizations committed to improving their cybersecurity posture. This Code of Conduct establishes the standards of behavior expected from all participants in our bug bounty programs, including researchers, organizations, and NidFul staff.

By participating in any NidFul program, you agree to adhere to these guidelines. Violations of this Code of Conduct may result in suspension or permanent ban from the platform, forfeiture of rewards, and potential legal action.

2. Core Principles

2.1 Ethical Behavior

All researchers must conduct themselves with integrity, honesty, and respect for others. This includes:

  • Treating all participants, organizations, and NidFul staff with respect and professionalism
  • Maintaining confidentiality of sensitive information discovered during testing
  • Reporting vulnerabilities responsibly and in good faith
  • Refraining from any form of harassment, discrimination, or abusive behavior

2.2 Responsible Disclosure

Researchers must follow responsible disclosure practices:

  • Report vulnerabilities promptly after discovery
  • Provide clear, detailed, and actionable reports
  • Allow organizations reasonable time to address vulnerabilities before public disclosure
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Do not access, modify, or delete data that you do not own or have explicit permission to access

3. Scope and Testing Rules

3.1 In-Scope Targets

Only test systems, applications, and services explicitly listed as in-scope for each program. Testing out-of-scope targets is strictly prohibited and may result in immediate account suspension.

3.2 Prohibited Activities

The following activities are strictly prohibited:

  • Denial of Service (DoS/DDoS) attacks: Any activity that disrupts, degrades, or impairs service availability
  • Social engineering: Attempting to manipulate individuals into revealing confidential information
  • Physical attacks: Attempting to gain physical access to facilities or equipment
  • Data exfiltration: Accessing, downloading, or copying data beyond what is necessary to demonstrate a vulnerability
  • Destructive testing: Any testing that modifies, deletes, or corrupts data or systems
  • Spam or phishing: Sending unsolicited emails or messages to employees or users
  • Brute-force attacks: Automated attempts to guess passwords or access credentials
  • Third-party services: Testing third-party services, APIs, or infrastructure not explicitly in-scope

3.3 Automated Scanning

Automated vulnerability scanners are generally not allowed unless explicitly permitted by the program scope. Manual testing and verification are preferred and typically receive higher rewards.

4. Reporting Requirements

4.1 Report Quality

All vulnerability reports must include:

  • A clear and concise title describing the vulnerability
  • Detailed description of the issue, including affected components
  • Step-by-step reproduction instructions
  • Proof of concept (PoC) code, screenshots, or videos demonstrating the vulnerability
  • Assessment of potential impact and severity
  • Suggested remediation steps (when possible)

4.2 Duplicate Reports

Only the first valid report of a vulnerability will be rewarded. Researchers are encouraged to check existing reports before submitting. Reports that duplicate previously reported issues will be closed without reward.

4.3 Disclosure Timeline

Researchers must allow organizations at least 90 days to remediate vulnerabilities before public disclosure. Extensions may be granted upon request if remediation is in progress. Public disclosure before this period without authorization may result in account suspension.

5. Rewards and Recognition

5.1 Reward Eligibility

Rewards are determined by:

  • Severity and impact of the vulnerability
  • Quality and clarity of the report
  • Uniqueness and creativity of the finding
  • Compliance with this Code of Conduct

Rewards are at the sole discretion of the organization and NidFul. Not all valid vulnerabilities may receive monetary rewards, but all valid reports are appreciated and recognized.

5.2 Payment Terms

Rewards are typically paid within 30-60 days of vulnerability remediation, subject to:

  • Successful verification and remediation of the vulnerability
  • Completion of required tax and payment information
  • Compliance with all platform rules and regulations

6. Prohibited Behaviors

The following behaviors will result in immediate account suspension or permanent ban:

  • Fraud and deception: Submitting false or misleading reports, attempting to claim rewards for vulnerabilities you did not discover, or colluding with others to game the system
  • Harassment: Engaging in harassment, threats, or abusive behavior toward other researchers, organization staff, or NidFul team members
  • Extortion: Demanding payment or other benefits in exchange for not disclosing vulnerabilities or for providing remediation assistance
  • Privacy violations: Accessing, storing, or sharing personal data of users without authorization
  • Unauthorized access: Gaining access to systems or data beyond what is necessary to demonstrate a vulnerability
  • Public disclosure violations: Disclosing vulnerabilities publicly before the authorized disclosure period
  • Circumventing security: Attempting to bypass security measures, rate limits, or access controls beyond what is necessary for testing

7. Researcher Responsibilities

Researchers are responsible for:

  • Maintaining the confidentiality of vulnerabilities until authorized disclosure
  • Ensuring their testing activities comply with all applicable laws and regulations
  • Keeping their account information and credentials secure
  • Responding promptly to organization requests for additional information
  • Respecting intellectual property rights and not reverse-engineering proprietary software beyond what is necessary for testing
  • Being respectful and professional in all communications

8. Organization Responsibilities

Organizations participating in NidFul programs are expected to:

  • Respond to vulnerability reports in a timely and professional manner
  • Provide clear scope definitions and testing guidelines
  • Fairly assess and reward valid vulnerability reports
  • Maintain confidentiality of researcher information
  • Not pursue legal action against researchers who act in good faith and comply with program rules
  • Provide timely updates on remediation progress

9. Enforcement and Consequences

Violations of this Code of Conduct will be investigated by the NidFul team. Consequences may include:

  • Warning: For minor first-time violations
  • Temporary suspension: For repeated or moderate violations
  • Permanent ban: For severe violations, fraud, or illegal activities
  • Reward forfeiture: For violations related to fraudulent reporting or non-compliance
  • Legal action: For illegal activities, which may be reported to law enforcement

All enforcement decisions are final and at the sole discretion of NidFul. Researchers who believe they have been unfairly treated may contact our support team for review.

10. Amendments and Updates

NidFul reserves the right to update this Code of Conduct at any time. Significant changes will be communicated to all platform participants. Continued use of the platform after changes constitutes acceptance of the updated Code of Conduct.

11. Questions and Support

If you have questions about this Code of Conduct or need clarification on any guidelines, please contact our support team at hello@nidful.com.

For program-specific questions, please refer to the program's scope and guidelines, or contact the organization directly through the platform.

Thank You

Thank you for your commitment to ethical security research and responsible disclosure. Together, we can make the internet a safer place for everyone.

By participating in NidFul programs, you agree to abide by this Code of Conduct and all platform rules. We appreciate your cooperation and dedication to improving cybersecurity.

Partner with NidFul

Secure your products with researchers who understand Africa's threat landscape.

Book a strategy session to see how NidFul can launch or scale your vulnerability disclosure program in days, not months.

Prefer email? Contact us

NidFul connects forward-looking teams with elite African researchers to uncover critical vulnerabilities, deliver verified fixes, and keep trust with customers.

Monthly briefings on emerging threats, research drops, and NidFul platform updates.

Platform
  • Launch a Program
  • Researcher Leaderboard
  • Organization Dashboard
Solutions
  • Fintech
  • Telecom
  • Cloud & SaaS
  • PhishDetect
Resources
  • Learn to Hack
  • Security Insights
  • Researcher Guidelines
  • Privacy & Data
  • VDP Policy Map
Company
  • About NidFul
  • Contact Us
  • Partner with NidFul
Social

© 2025 NidFul Technologies. All rights reserved.

PrivacyCode of Conducthello@nidful.com