Contact: security@novu.co

At Novu, we prioritize the security of our systems. While we strive to make our systems as secure as possible, vulnerabilities can still exist. If you discover a vulnerability, we kindly request your assistance in helping us enhance our security measures and protect our clients.

In Scope Vulnerabilities:

• Any security issues that could jeopardize the confidentiality, integrity, or availability of our systems or data.

Out of Scope Vulnerabilities:

• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector or the ability to modify HTML/CSS.
• Email spoofing.
• Missing DNSSEC, CAA, CSP headers.
• Lack of Secure or HTTP-only flags on non-sensitive cookies.
• Deadlinks.

Reporting Instructions:

1. Email your findings to security@novu.co.
2. Please refrain from running automated scanners on our infrastructure or dashboard. If you intend to do so, contact us, and we will set up a sandbox for your testing.
3. Do not exploit the vulnerability or problem you have discovered, such as downloading more data than necessary or deleting/modifying others' data.
4. Keep the problem confidential until it has been resolved.
5. Do not use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications.
6. Provide sufficient information to reproduce the problem, including the IP address or URL of the affected system and a clear description of the vulnerability. Complex vulnerabilities may require additional explanation.

1. We will respond to your report within 3 business days, providing an evaluation of the report and an expected resolution date.
2. If you have adhered to the reporting instructions, we will not take any legal action against you in relation to the report.
3. We will maintain strict confidentiality regarding your report and will not share your personal details with third parties without your consent.
4. You will be kept informed of the progress toward resolving the problem.
5. In public disclosures about the reported problem, we will credit you as the discoverer of the issue (unless you request otherwise).
6. We are committed to resolving all issues promptly and actively participating in the public disclosure of the issue once it's resolved.

Your contribution to enhancing our security is greatly appreciated.