Vulnerability disclosure

We welcome reports of security vulnerabilities affecting Notify'n from researchers acting in good faith. This page defines the scope of testing we authorise, the categories we consider out of scope, how to submit a report, and the safe harbour we extend to compliant researchers.

The following surfaces are in scope for testing under this policy:

• notifyn.net (the marketing site)
• app.notifyn.net and other authenticated application surfaces
• portal.notifyn.net
• The Notify'n public API

The following vulnerability classes are in scope:

• Authentication and session management flaws
• Authorisation and access control flaws (IDOR, privilege escalation)
• Injection (SQL, NoSQL, command, LDAP)
• Cross-site scripting (stored, reflected, DOM)
• CSRF on state-changing actions
• Server-side request forgery (SSRF)
• Server-side template injection
• Remote code execution
• Sensitive data exposure
• Cryptographic weaknesses with practical impact

The categories below are explicitly out of scope. Reports falling into any of these categories may not receive a response. We list them at length deliberately so it is clear what we will and will not engage with.

• DNS configuration recommendations (SPF, DKIM, DMARC, CAA, MTA-STS, TLS-RPT) without a working exploit
• Missing security headers without demonstrated exploitation
• SSL/TLS configuration recommendations from automated scanners (cipher suite preferences and similar) without a practical attack
• Clickjacking on pages without sensitive state-changing actions
• Self-XSS
• Rate limiting on non-authentication endpoints
• Output from automated scanners (mxtoolbox, nslookup.io, sslyze, nikto, and similar) without a working proof of concept demonstrating exploitation
• Theoretical vulnerabilities without demonstrated impact
• Vulnerabilities in third-party services we do not control (Stripe, Resend, Cloudflare, MongoDB Atlas, Vercel)
• Social engineering of staff
• Physical attacks
• Denial of service and distributed denial of service
• Reports based on outdated software versions without a working exploit
• Email spoofing reports based on missing or weak email authentication records
• Reports requiring physical access to a victim's device
• Vulnerabilities in browser extensions or third-party tools used to access Notify'n

Send reports to security@notifyn.net. Please include:

• A clear description of the issue
• Reproduction steps
• The affected URL or endpoint
• Your assessment of the impact
• A working proof of concept

• We will acknowledge your report once a person has triaged it. We do not commit to a fixed acknowledgement timeframe.
• We evaluate reports on demonstrated impact rather than theoretical risk. A working proof of concept is the difference between a triaged report and one that is closed.
• We do not pay bounties. With your permission, we may credit you in a future acknowledgements list once the underlying issue is resolved.
• Out-of-scope reports may not receive a response.

We will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy
• Do not access, modify, or destroy data beyond what is necessary to demonstrate the issue
• Do not disrupt service
• Do not disclose publicly until we have had reasonable time to respond and remediate (we suggest ninety days)

This policy does not authorise activity that is inconsistent with applicable law. We cannot authorise testing of systems we do not own or operate. Nothing in this document should be read as a waiver of any other rights.