Security Policy

Norn takes the security of its platform seriously. If you believe you've found a security issue in Norn, please report it as described below.

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues, public forums, or social media.

Send reports to security@nornhq.com. Include as much of the following as you can:

  • A description of the issue and its potential impact
  • Steps to reproduce
  • Affected endpoints, tools, or components
  • Any proof-of-concept code or supporting screenshots
  • Your name and how you'd like to be credited (optional)

We ask that you give us a reasonable window to investigate and remediate before any public disclosure — see the Coordinated disclosure section below.

Scope

In-scope:

  • The Norn web application at norn-data.com
  • The Norn HTTP API
  • The Norn MCP server at norn-data.com/mcp
  • Any first-party Norn service that handles user data or authenticated requests

Out-of-scope:

  • Third-party services Norn integrates with. Please report vulnerabilities in these to the vendors directly:
  • Denial-of-service attacks, volumetric testing, or any activity that degrades service for other users
  • Social engineering of Norn employees, contractors, or customers
  • Physical attacks
  • Vulnerabilities that require compromise of a user's device or account outside of Norn's control
  • Reports generated purely by automated scanners without a demonstrated impact

Response commitment

We commit to:

  • Acknowledge receipt of your report within 3 business days
  • Provide an initial assessment (accepted / needs-more-info / not-applicable) within 7 business days of acknowledgement
  • Keep you updated on remediation progress for accepted reports
  • Credit you in the resolution (with your permission) once the fix has shipped

Safe harbor

Norn will not pursue civil or criminal action, or file complaints with law enforcement, against security researchers who:

  • Make a good-faith effort to comply with this policy
  • Report vulnerabilities promptly to security@nornhq.com
  • Avoid privacy violations, degradation of Norn's services, and destruction or modification of data belonging to others
  • Do not exploit a vulnerability beyond what's necessary to confirm its existence
  • Give Norn a reasonable time to respond before any disclosure

If in doubt, contact us first at security@nornhq.com and describe what you'd like to test. We'll clarify what's covered.

Coordinated disclosure

We ask that you keep vulnerability details private until we've had a reasonable window to remediate. Our default disclosure timeline is:

  • 90 days from the initial report, or
  • 7 days after we notify you that a fix has been deployed to production

— whichever comes first. If a vulnerability is actively being exploited or poses immediate risk to users, we may work with you on an expedited timeline.

What we do not offer

Norn does not currently run a paid bug bounty program. We appreciate reports regardless and will credit researchers publicly (with permission) on a security acknowledgements page as it develops.

Contact

Thank you for helping keep Norn and its users safe.