Responsible Disclosure

At Nucleus Software, security is fundamental to the trust our customers, partners, and stakeholders place in us. We are committed to protecting the confidentiality, integrity, and availability of our digital assets, applications, and services.

We welcome reports from security researchers, customers, partners, and members of the public who identify potential security vulnerabilities in systems owned and operated by Nucleus Software. Responsible disclosure helps us strengthen our security posture and better protect the organizations that rely on our solutions.

If you believe you have discovered a security vulnerability, we encourage you to report it responsibly using the process outlined below.

Reporting a Security Vulnerability

If you identify a potential security vulnerability affecting a Nucleus Software website, application, service, or digital asset, please report it by emailing:

Security Contact: teamcyberandinfosec@nucleussoftware.com

To help us investigate your report efficiently, please include:

• A clear description of the vulnerability.
• The affected URL, application, system, or service.
• Step-by-step instructions to reproduce the issue.
• Supporting evidence such as screenshots, logs, or proof-of-concept details.
• The potential impact of the vulnerability.
• Your name and contact information.

We will review all reports and investigate validated security concerns in accordance with our internal security processes.

Scope

This Responsible Disclosure Program applies to systems and services owned and operated by Nucleus Software, including:

• www.nucleussoftware.com and associated subdomains.
• Publicly accessible web applications and APIs operated by Nucleus Software.
• Mobile applications published and maintained by Nucleus Software.
• Other publicly accessible digital services under the control of Nucleus Software.

Product Security Reporting

Nucleus Software provides technology solutions to banks, financial institutions, and enterprises globally, including products such as FinnOne Neo® and FinnAxia®.

If you believe you have identified a vulnerability affecting a Nucleus Software product deployment, please report the issue to us with complete details. We will coordinate the investigation and remediation process with the appropriate stakeholders and affected parties, where applicable.

Out of Scope

The following activities and findings are generally considered outside the scope of this Responsible Disclosure Program:

• Vulnerabilities affecting third-party systems, platforms, or services not owned or controlled by Nucleus Software.
• Social engineering, phishing, impersonation, or physical security attacks.
• Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) testing.
• Spam, unsolicited bulk messaging, or email abuse.
• Testing that may disrupt, degrade, or impact the availability of Nucleus Software systems or services.
• Activities that result in unauthorized access to, modification of, or destruction of customer, partner, employee, or company data

Guidelines for Security Researchers

We request that all security research be conducted responsibly and in good faith.

When reporting vulnerabilities, please:

• Act with the intention of improving security.
• Limit testing to activities necessary to identify and demonstrate the vulnerability.
• Avoid accessing, modifying, deleting, or disclosing data that does not belong to you.
• Respect the privacy of our customers, partners, employees, and users.
• Avoid actions that could impact the availability, performance, or integrity of our systems.
• Immediately stop testing and notify us if you inadvertently access sensitive information.
• Provide sufficient information to allow us to reproduce and validate the issue.

Please Do Not

• Access customer, employee, or partner information beyond what is required to demonstrate a vulnerability.
• Modify, destroy, or exfiltrate data.
• Perform Denial-of-Service testing or service disruption activities.
• Use phishing, social engineering, or physical intrusion techniques.
• Publicly disclose vulnerability details before Nucleus Software has had a reasonable opportunity to investigate and address the issue.

Our Commitment

When a vulnerability report is submitted in accordance with this Responsible Disclosure statement, Nucleus Software will:

• Acknowledge and review the reported issue.
• Assess the validity and potential impact of the vulnerability.
• Work to remediate confirmed vulnerabilities based on risk, severity, and business impact.
• Engage with the reporting party where additional information is required.
• Notify the reporting party when the investigation has been completed, where appropriate.

Safe Harbour

Nucleus Software supports responsible security research conducted in good faith.

We will not initiate legal action against individuals who:

• Report vulnerabilities responsibly and in accordance with this disclosure statement.
• Do not exploit vulnerabilities beyond what is reasonably necessary to demonstrate their existence.
• Do not access, misuse, alter, or disclose confidential information.
• Do not intentionally disrupt or degrade our services.

Activities that violate applicable laws, compromise customer data, disrupt services, or cause harm to Nucleus Software, its customers, partners, or third parties are not covered under this Safe Harbour statement.

Contact Information

Security Vulnerability Reporting – teamcyberandinfosec@nucleussoftware.com

Thank you for helping us maintain a secure and resilient digital environment for our customers, partners, and stakeholders.