Vulnerability disclosure policy.
Found a security issue? Email security@superpost.io. A human reads every report within 24 hours. Below is what to send, what we promise back, and what's in vs. out of scope.
RFC 9116 record: /.well-known/security.txt
Reporting a finding
- Email security@superpost.io.
- Include: a short description, reproduction steps, the affected URL or endpoint, the impact you can demonstrate, and any PoC payloads.
- If the finding involves customer data, stop. Tell us the path you took to reach it and we'll reproduce in a test workspace.
- Do not file the report as a public GitHub issue or post on social media before we coordinate disclosure.
Response SLAs
| Window | Commitment |
|---|---|
| 24 hours | Acknowledgement of receipt — a human reads every report. |
| 7 days | Initial triage with a severity assignment + remediation owner. |
| Per severity | Fix targets: critical ≤ 7d, high ≤ 14d, medium ≤ 60d, low + informational normal sprint cadence. |
| On resolution | We coordinate disclosure timing with you. Default: public credit on /security/acknowledgments after the fix ships. |
SLAs above mirror what we enforce for paid pen test engagements — see infra/pentests/lint.py in the public repo for the mechanical SLA gate.
In scope
- superpost.io and all subdomains (app, gateway, status, docs)
- The SuperPost gateway API (gateway.superpost.io)
- First-party packages published on npm + PyPI under the @superpost / superpost-sdk namespaces
- The Chrome / Firefox / GitHub App extensions when those ship
- Any HTTP / WebSocket endpoint that responds with a SuperPost-issued cert
Out of scope
Sub-processor surfaces
Issues in Clerk, Stripe, Cloudflare, AWS, Anthropic, ElevenLabs, etc. Report those to the vendor's program directly — they pay bounties; we route findings but cannot remediate.
Denial of service
Volumetric DoS testing, load testing, or anything that would degrade service for other customers. Test rate limits at a single-account, single-IP scale.
Social engineering
Phishing of employees, contractors, or customers; pretexting via support channels; physical attacks on offices.
Self-XSS / clickjacking on pages without auth
Or any vuln that requires the victim to take an unrealistic action against themselves.
Missing best-practice headers without a concrete impact
We already enforce CSP / HSTS / X-Frame-Options at the edge. Reports that say `header X is missing` without a working exploit are out of scope.
Reports generated by automated scanners without manual validation
We run our own SAST + dep-scanning + secret scanning + CodeQL. Drive-by scanner output without a working PoC will be closed.
Safe harbor
- Good-faith research is welcome. If you follow this policy we will not pursue legal action.
- Use test accounts you control, not real customer accounts. We will create accounts on request — email security@superpost.io.
- Stop immediately if you encounter real customer data (PII, content, voice clips). Do not download, copy, or share it. Tell us how you reached it.
- Do not modify, delete, or exfiltrate data you did not put there yourself.
- Coordinate disclosure with us before publishing — see the SLAs above.
This is not yet a paid bug bounty — we credit researchers on /security/acknowledgments and may offer swag or a public reference. A formal bounty program launches once volume justifies it.