Security & Vulnerability Disclosure

At Neer Technologies Ltd, the security of our POS and ERP platform is a top priority. We are committed to protecting the integrity of your business data, from sensitive inventory records to transaction details. This page outlines our security practices and our Vulnerability Disclosure Policy (VDP).

1. Our Security Commitment

We build our services with robust security principles to ensure a safe environment for your retail operations in Kenya. Our platform incorporates industry-standard encryption, secure authentication mechanisms, and continuous monitoring to guard against unauthorized access.

2. Vulnerability Disclosure Policy

We deeply value the work of independent security researchers. If you believe you have discovered a security vulnerability in the Neer platform, we encourage you to report it to us immediately. We ask that you follow our responsible disclosure guidelines to protect our users' data while we investigate and resolve the issue.

3. Reporting a Vulnerability

To report a security issue, please email our security team directly. Do not publicly disclose the vulnerability or share it with third parties until we have had adequate time to investigate and issue a patch.

• Email your report to security@neer.co.ke.
• Include a detailed description of the vulnerability.
• Provide clear, step-by-step instructions or a proof-of-concept (PoC) to help us reproduce the issue.
• Include the potential impact of the vulnerability.

4. Responsible Disclosure Guidelines

While conducting your research, we require that you act in good faith. You must comply with the following rules to remain within the bounds of our safe harbor policy:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data.
• Do not attempt to access or modify data belonging to other Neer POS users. Use your own test accounts for any investigations.
• Do not perform Denial of Service (DoS) attacks, spamming, or social engineering against our employees, users, or infrastructure.
• Stop your testing immediately and notify us if you inadvertently access sensitive data (such as API keys, user passwords, or PII).

5. Out of Scope

Certain components and third-party integrations are strictly out of scope for security testing. Please do not test or report vulnerabilities related to:

• The KRA eTIMS system infrastructure or tax transmission endpoints.
• The Safaricom Daraja API or M-Pesa processing gateways.
• Third-party cloud infrastructure providers hosting our services.
• Clickjacking on pages with no sensitive actions.
• Issues requiring physical access to a user's POS terminal or device.

6. Our Response Process

When you submit a vulnerability report, our security team will respond as quickly as possible. We aim to acknowledge receipt of your report within 48 business hours. We will keep you updated on our progress as we investigate, triage, and remediate the issue. We do not currently operate a paid bug bounty program, but we are happy to provide a letter of recommendation or public acknowledgment for valid, high-impact reports.

7. Safe Harbor

If you conduct your security research in full compliance with this policy, Neer Technologies Ltd will consider your actions authorized. We will not initiate legal action or law enforcement investigations against you in relation to your research. If legal action is initiated by a third party against you, we will make it known that your actions were conducted in compliance with this policy.