Last updated: March 12, 2026
Email security@noru.tech with a clear description, reproduction steps, affected URL or endpoint, and potential impact.
Include enough detail for us to reproduce the issue. Screenshots and proof-of-concept code are helpful when relevant.
Do not include sensitive personal data in your report unless strictly necessary for reproduction.
If you act in good faith, avoid privacy violations, avoid service degradation, and do not exfiltrate data, Noru will treat your research as authorized under this policy.
We ask that you stop testing and notify us immediately once you confirm a vulnerability.
This policy does not permit social engineering, physical attacks, denial-of-service, spam, or testing third-party systems outside Noru ownership.
We acknowledge reports within 24 hours.
We perform initial triage within 3 business days.
We aim for coordinated public disclosure within 90 days, adjusted when customer safety requires faster or slower handling.
We validate the report, assess severity, implement remediation, and then coordinate publication timing with the reporter when possible.
If a vulnerability affects customers, we provide remediation guidance and product communication through our security advisories.
Credit is optional and based on the reporter's preference.
