Security
Responsible Disclosure
We welcome security research. Tell us what you found before you tell anyone else, and we'll get it fixed fast.
How to report
Email security@supoid.com with:
- A clear description of the issue
- Steps to reproduce (or proof-of-concept)
- Impact assessment
- Your name (or pseudonym) for our hall of fame, if you want credit
What we promise
- Acknowledge your report within 1 business day
- Triage and provide an initial severity within 3 business days
- Keep you updated until the issue is resolved
- Credit you publicly once the fix ships (with your permission)
- Never pursue legal action against good-faith security research conducted in line with this policy
Scope
In scope:
supoid.com,app.supoid.com,api.supoid.com- Customer subdomains under
*.supoid.com - The public REST API at
/api/public/v1 - Embeddable widgets served from supoid.com
Out of scope:
- Denial-of-service or volumetric attacks
- Social engineering of staff, customers, or third parties
- Vulnerabilities in third-party services (Vercel, Supabase, Polar, MailerSend, etc.) — please report those directly to the vendor
- Findings from automated scanners without a working proof-of-concept (low-signal, high-noise)
- Missing security headers without an exploitation path
- Spoofing the Sender Policy Framework (SPF) record or similar email-only issues
- Self-XSS that requires a victim to paste content into the console
Bounty
We do not pay a cash bounty at this stage. We send swag for valid reports and credit you here once the issue is fixed.
Hall of fame
No reports yet — be the first. Once we receive valid reports, this section will list researchers who helped us harden Supoid.
PGP
If you prefer encrypted email, request our PGP key via security@supoid.comand we'll reply with the public key.