Security disclosure

We take security reports seriously. If you've found a vulnerability in any Nucleus component — the control plane, the Moodle plugins, the Helm chart, the docs site, our infrastructure — please report it before disclosing publicly.

How to report

Email security@nucleuslms.io with:

• A description of the issue.
• Steps to reproduce, or a proof-of-concept.
• The version (GET /api/version) and environment (hosted / self-host) where you found it.
• Your contact info if you'd like credit.

PGP encryption is available on request.

What to expect

• Acknowledgement — within 1 business day.
• Initial assessment — within 5 business days. We'll tell you whether we agree it's a vulnerability, and the rough severity.
• Fix timeline — depends on severity. Critical issues we patch immediately; lower-severity ones go into the next release.
• Disclosure — we'll coordinate with you on a public disclosure date once the fix is shipped to all affected customers.

Scope

In scope:

• The Nucleus control plane (registry.nucleuslms.io/nucleus-control-plane)
• The Moodle plugins (local_nucleuscommon, local_nucleushub, local_nucleusspoke)
• The nucleus-moodle Helm chart
• The hosted infrastructure (*.nucleuslms.io)
• This documentation site

Out of scope (please don't):

• Anything that requires destructive testing against the hosted production environment. Set up a self-host instance instead.
• Denial-of-service attacks.
• Social engineering of Nucleus employees.
• Issues in third-party dependencies — report those upstream first; we'll patch when fixes are available.

Safe harbour

We won't pursue legal action against good-faith security research conducted under this policy. "Good faith" means: you reported the issue privately, you didn't access more data than necessary to demonstrate the issue, and you didn't disclose publicly before we'd had a chance to fix it.