Responsible Disclosure

Last updated: July 1, 2026

At Norveth, we consider the security of our systems and our users' data to be of paramount importance. We actively encourage security researchers to help us improve our posture by reporting potential vulnerabilities.

Safe Harbor

We will not initiate legal action against security researchers who discover and report vulnerabilities in accordance with this policy. We consider activities conducted consistent with this policy to constitute "authorized" conduct.

1. Reporting Guidelines

If you believe you've found a security vulnerability in our platform, please notify us immediately by emailing security@norveth.app.

  • Provide a detailed summary of the vulnerability, including target URLs, request parameters, and a proof-of-concept (PoC).
  • Do not perform actions that could negatively impact our users or the availability of the platform (e.g., DoS attacks, spam).
  • Do not publicly disclose the vulnerability until we have had reasonable time to investigate and patch the issue (typically 90 days).

2. In-Scope Targets

  • norveth.app and subdomains
  • The Norveth REST API (api.norveth.app)
  • Norveth CLI and official SDKs
  • Authentication and authorization flows

3. Out-of-Scope Targets

The following issues are considered out of scope and are not eligible for reporting under this program:

  • Clickjacking on pages with no sensitive actions.
  • Self-XSS (Cross-Site Scripting).
  • Missing HTTP security headers that do not lead to a direct vulnerability.
  • Denial of Service (DoS/DDoS) attacks.
  • Social engineering or phishing attacks against Norveth employees or users.

4. Response Timeline

We strive to acknowledge receipt of all vulnerability reports within 48 hours. Once validated, we will keep you informed of our progress as we develop and deploy a patch.