Policy

NuClide Research operates exclusively under written engagement authorization. Every test, probe, and assessment is performed against in-scope assets named in a signed Statement of Work or coordinated-disclosure protocol.

We do not perform unauthorized testing. We do not sell intrusion services. We do not operate against targets without a documented authorization chain.

Mutual NDA is the default for every engagement. Client identity, scope detail, evidence artifacts, and findings stay inside the engagement boundary unless the client explicitly releases them.

The curated public list on the "Who we've helped" page exists only for clients who have authorized acknowledgment in writing. The full record of coordinated work is held privately.

Engagement artifacts are encrypted at rest and in transit. Storage is US-based. Access is scoped to the assigned engagement team.

On engagement closure, we retain only the signed ledger entry, the final report, and the evidence index. Raw captures are destroyed on a schedule defined in the Statement of Work, or sooner on written client request.

We do not aggregate client data into a corpus, ship it to third-party analytics, or use it to train models.

For findings affecting third-party vendors discovered during NuClide research outside of a client engagement, we follow a coordinated-disclosure protocol: written report to the vendor security contact, reasonable remediation window, public-safe summary only after fix is verified or the window expires.

Severity-1 findings against shared infrastructure are escalated to the appropriate CERT (CISA, vendor PSIRT, or national CSIRT) before any public communication.

We do not sell exploits. We do not retain working exploit code beyond the disclosure cycle.

The NuClide toolchain is built in-house and published openly on GitHub at github.com/nuclide-research. Source is public; the per-tool pages link the corresponding repository.

Air-gapped variants exist for environments where outbound network access is prohibited (classified networks, OT environments, healthcare clean rooms). These variants are deployed under SCA-equivalent controls.

NuClide Research is US-domiciled. All engagement contracts are governed by US law. Export-controlled work (ITAR, EAR, CMMC-relevant) is performed under the appropriate compliance regime; ask in your scoping call if this applies.

Sensitive disclosures, draft reports, and engagement-critical traffic should be encrypted. Use our PGP public key for the engagement intake address.

Signal is available for time-sensitive coordination at the same intake; the channel is provisioned per engagement, not advertised publicly.