NINOLEGAL
Trust/Responsible disclosure
Volver al inicio
Security & compliance

Responsible vulnerability disclosure

Last updatedJune 2, 2026
ModelCoordinated disclosure
LanguageVersión en español
Contactcontacto@ninolegal.com

At Nino Legal (formerly ArchivosYa) we take security seriously. If you are a security researcher or a user and you find a vulnerability, this page explains how to report it safely. We appreciate good-faith research. Leé esta política en español.

Section 01

Our commitment

We value the security community's work in protecting our users. We commit to treating every report seriously and to fixing confirmed issues as quickly as is reasonably possible.

Safe harbor

We will not pursue legal action against anyone who researches in good faith, follows this policy, does not affect other users' privacy, and gives us a reasonable time to remediate before disclosing. If you stay within these limits, we consider your research authorized.

Section 02

Scope

Which systems are covered by this policy and which are not.

  • In scope: ninolegal.com and its subdomains (including static-files.ninolegal.com), the web application and its APIs. During the brand transition, archivosya.com as well.
  • Out of scope: the infrastructure of our providers and subprocessors (Auth0, OpenAI, Microsoft Azure, MongoDB Atlas, Mercado Pago, SendGrid, Sentry, among others). Please report those findings directly to each provider.
  • Excluded: denial-of-service attacks (DoS/DDoS), findings requiring physical access or social engineering, and reports based solely on a software version without a demonstrable impact.
Section 03

How to report

Send your report by email to contacto@ninolegal.com. To help us reproduce and prioritize it, please include:

  • A clear description of the vulnerability and its impact.
  • Detailed steps to reproduce it.
  • The affected URL, endpoint or component.
  • If possible, a proof of concept (screenshots, requests or a short video).
Language

You can write to us in Spanish or English.

Section 04

Rules for researchers

To stay within the safe harbor, we ask that you:

  • Do not access, modify or delete data that is not yours. Use your own test accounts.
  • Do not perform denial-of-service attacks or tests that degrade the service for other users.
  • Do not perform social engineering against our team, users or providers, nor physical security testing.
  • Do not run aggressive automated scanners against production.
  • Respect privacy: if you come across personal data, do not copy or share it, and notify us immediately.
Section 05

What to expect from us

  • Acknowledgment within up to 5 business days.
  • Assessment and prioritization of the report based on its severity.
  • Communication about progress and remediation.
  • Notice once the issue is resolved.
Section 06

Coordinated disclosure

We ask that you not publicly disclose the vulnerability until we have fixed it or agreed on a publication date. As a reference we work with a 90-day window from the report; if we need more time, we will coordinate it with you transparently.

Section 07

Recognition

At this time we do not offer monetary rewards (we do not run a paid bug bounty program). However, with your permission, we publicly credit those who report valid vulnerabilities as a thank-you for their contribution.

Section 08

Contact

For security reports, email us at contacto@ninolegal.com. You can also review our security controls.