Report a vulnerability

Supernormal is committed to the safety and security of our customer’s data. We make every effort to ensure their data remains safe. We encourage responsible disclosure and appreciate your assistance in keeping our application secure. The following details steps you may take to disclose an issue to our team.

How to report an issue

Before reporting, ensure you have discovered a legitimate vulnerability and not a false positive. Conduct thorough testing and gather enough evidence to demonstrate the vulnerability's impact. If you have discovered an issue, please send an email to with the following details:

  • Description: Clearly describe the vulnerability, its impact, and any potential attack vectors
  • Steps to Reproduce: Provide a step-by-step guide to reproduce the vulnerability
  • Tools/Dependencies: Mention any tools, software versions, or dependencies used during your research
  • Provide proof-of-concept code illustrating the exploit, if applicable

Our team will investigate the issue as soon as we receive your report. We will keep you updated on the progress and may reach back for further details if needed. Once the issue is resolved we will update our customers.

Supernormal will compensate you for reports of any valid vulnerabilities with a CVSS score of 4 or higher.


Our vulnerability disclosure program focuses on our primary web application and API. This includes potential vulnerabilities in the application's source code, configurations, server infrastructure, and associated services.

Out of Scope:

  • Automated vulnerability scanning
  • Bugs which allow an attacker to bypass limits on free accounts and/or get access to features on paid plans
  • Vulnerabilities in third-party applications or services not directly managed by us
  • Denial of service attacks or distributed denial of service (DDoS) attacks
  • Vulnerabilities resulting from outdated client software or insecure user behavior
  • Vulnerabilities depending on physical access to a customer's device
  • Reports regarding best practices with respect to DNS configuration, CSP, and CORS, while informative, do not qualify for a reward
  • Social engineering of any kind

In scope:

Safe Harbor

To encourage responsible disclosure, we offer a safe harbor policy. This means that, provided you adhere to the guidelines outlined in this document, we will not initiate any legal action against you regarding your research activities. We also commit to work with you in a timely manner to address and resolve reported vulnerabilities.

However, please note that we expect you to act ethically and responsibly, respecting user privacy, avoiding any unauthorized access to data, and refraining from any destructive actions or disruptions to our services.