Security

Responsible Disclosure

If you've found a security vulnerability in Nora, please tell us privately. We'll work quickly to fix it and credit you for the find.

How to report

Email security@nora.fyi with a clear description of the vulnerability, steps to reproduce, and any supporting material (screenshots, proof-of-concept). We'll acknowledge your report within 48 hours.

Our commitments

  • We won't take legal action against researchers acting in good faith.
  • We'll keep you informed as we investigate and fix the issue.
  • We'll credit you publicly when the fix ships, unless you prefer to stay anonymous.
  • We aim to resolve critical issues within 7 days, others within 30.

Scope

In scope: anything on nora.fyi, the Nora assistant, API endpoints, and connected account handling. Out of scope: social engineering, physical attacks, and third-party services (iMessage, Anthropic, Supabase).

Please don't

  • Access or modify other users' data.
  • Perform denial-of-service attacks.
  • Disclose the vulnerability publicly before we've had a chance to fix it.
Responsible Disclosure — Nora