Skip to content

Security: katyaterletskaya/novu

Security

SECURITY.md

Security

Contact: [email protected]

Safeguarding our Novu systems is a top concern for us. Nevertheless, despite our best efforts to fortify them, vulnerabilities may still be present.

If you come across a vulnerability, please inform us promptly so we can promptly resolve it. We kindly request your assistance in enhancing the security of both our clients and our systems.

Reporting a Vulnerability

In Scope Vulnerabilities:

  • Any security issues that might put at risk the confidentiality, integrity, or accessibility of our systems or data.

Out of Scope Vulnerabilities:

  • Clickjacking on pages with no sensitive actions.

  • Unauthenticated/logout/login CSRF.

  • Attacks requiring MITM or physical access to a user's device.

  • Any activity that could lead to the disruption of our service (DoS).

  • Content spoofing and text injection issues without showing an attack vector or the ability to modify HTML/CSS.

  • Email spoofing.

  • Missing DNSSEC, CAA, CSP headers.

  • Lack of Secure or HTTP-only flags on non-sensitive cookies.

  • Deadlinks.

Reporting Instructions:

  1. Email your findings to [email protected].

  2. Automated scanning tools should not be used on our infrastructure or dashboard. If you have a need for this, please reach out to us, and we'll assist you in setting up a secure sandbox environment.

  3. Please do not exploit the vulnerability or issue you've found, such as downloading excessive data or tampering with others' data.

  4. Please keep the issue confidential until we've fixed it.

  5. Do not use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications.

  6. Please share enough details for us to understand and fix the issue as fast as we can. Typically, providing the IP address or the URL of the affected system along with a description of the problem should be enough, though more intricate issues might need additional clarification.

What We Promise

  1. We'll get back to you within 3 business days with our assessment of the report and an estimated date when we expect to resolve it.

  2. We will not take any legal action against you related to the report, if you have adhered to the reporting instructions above.

  3. We'll treat your report with utmost confidentiality and won't share your personal information with third parties without your consent.

  4. We'll be keeping you updated of the progress toward fixing the issue.

  5. We'll credit you as the discoverer of the issue (unless you request otherwise), in public disclosures of the reported issue.

  6. We aim to resolve all issues promptly and are eager to actively contribute to the ultimate publication on the problem, once the problem has been resolved.

We truly value your contributions in strengthening our security.

There aren’t any published security advisories