We handle sensitive data for survivors and frontline workers. Security is not a checkbox — it is a core obligation. This page covers our disclosure policy and how we communicate security events.
We welcome reports from the security research community. If you have found a vulnerability in any of our products or infrastructure, please tell us before going public.
Send a detailed report to our security team. Include the affected product, steps to reproduce, potential impact, and any proof-of-concept you can share safely.
security@nansen.io →We will acknowledge your report within 2 business days, provide regular status updates, and notify you when the issue is resolved. We will not pursue legal action for good-faith disclosures.
Contact us →All Nansen and Acorn products and infrastructure including acorn.tools, detect.acorn.tools, risk.acorn.tools, and nansen.io. Third-party services we use are out of scope — report those directly to the vendor.
Social engineering, physical security, denial-of-service attacks, and automated scanning without prior written permission. Reports that do not include reproduction steps will not be actioned.
Our response process is designed to move quickly and communicate transparently — to those affected and, where appropriate, to the public.
A severity rating is assigned. Critical and high issues are escalated immediately to the founding team.
We contain the issue as quickly as possible. For survivor-data systems, we aim to patch critical issues within 24 hours of confirmation.
Affected parties are notified within 72 hours of a confirmed material incident, in line with Australian Privacy Act obligations and our own higher standard.
Material incidents are published here as security notifications once remediation is complete, unless disclosure would itself create risk.
No security notifications at this time.
This section will be updated if a material incident or advisory requires public disclosure.