Supoid

Security

Responsible Disclosure

We welcome security research. Tell us what you found before you tell anyone else, and we'll get it fixed fast.

How to report

Email security@supoid.com with:

  • A clear description of the issue
  • Steps to reproduce (or proof-of-concept)
  • Impact assessment
  • Your name (or pseudonym) for our hall of fame, if you want credit

What we promise

  • Acknowledge your report within 1 business day
  • Triage and provide an initial severity within 3 business days
  • Keep you updated until the issue is resolved
  • Credit you publicly once the fix ships (with your permission)
  • Never pursue legal action against good-faith security research conducted in line with this policy

Scope

In scope:

  • supoid.com, app.supoid.com, api.supoid.com
  • Customer subdomains under *.supoid.com
  • The public REST API at /api/public/v1
  • Embeddable widgets served from supoid.com

Out of scope:

  • Denial-of-service or volumetric attacks
  • Social engineering of staff, customers, or third parties
  • Vulnerabilities in third-party services (Vercel, Supabase, Polar, MailerSend, etc.) — please report those directly to the vendor
  • Findings from automated scanners without a working proof-of-concept (low-signal, high-noise)
  • Missing security headers without an exploitation path
  • Spoofing the Sender Policy Framework (SPF) record or similar email-only issues
  • Self-XSS that requires a victim to paste content into the console

Bounty

We do not pay a cash bounty at this stage. We send swag for valid reports and credit you here once the issue is fixed.

Hall of fame

No reports yet — be the first. Once we receive valid reports, this section will list researchers who helped us harden Supoid.

PGP

If you prefer encrypted email, request our PGP key via security@supoid.comand we'll reply with the public key.