Security

Find a problem? Tell us.

Northbeams is a security product. We take vulnerability reports seriously and we work with researchers in good faith. This page tells you exactly how to reach us, what is in scope, what protection you have, and how fast you will hear back.

01 / How to report

One inbox. One business day.

Email security@northbeams.com. We acknowledge every report within one business day. We aim to triage within three business days and to reach a remediation plan within ten.

Helpful things to include:

Affected URL, endpoint, or component (marketing site, dashboard, browser extension, Northbeams desktop app).
Steps to reproduce. A short video or screenshot helps.
Impact you observed. Severity is fine; we will calibrate.
Whether you tested against your own data or someone else's. Always test against your own.

Use any reasonable encryption you prefer. We can rotate to a PGP key on request.

02 / Scope

What is in. What is out.

In scope

Production assets we own.

northbeams.com (marketing site)
monitor.northbeams.com (dashboard and API)
Northbeams Monitor browser extension (current Chrome Web Store release)
Northbeams for Mac and Windows (current signed desktop release)
Public APIs under monitor.northbeams.com/api/v1/

Out of scope

Third-party hosts and noise.

Vulnerabilities in third-party services we depend on (Vercel, Firebase, Stripe, Resend, Sentry, Crisp, Cloudflare). Report those to the vendor.
Denial of service, volumetric brute force, automated scanner output without a working PoC.
Best-practice gaps without a demonstrated exploit (missing security header on a static page, etc).
Self-XSS that requires an attacker to convince the user to paste payload into the browser console.
Issues that require physical access to a victim's unlocked device.

03 / Safe harbor

Good-faith research is welcome.

If you make a good-faith effort to comply with this policy during your research, we will:

Consider your activity authorised under the Computer Fraud and Abuse Act and analogous laws.
Waive any DMCA claim against you for circumvention of technical measures used to protect the in-scope assets.
Not pursue or support any claim against you, including for incidental data access that was unavoidable in the course of testing.

Good-faith means:

You only test against accounts you own or have explicit permission to test.
You stop and notify us as soon as you find a vulnerability rather than expanding access.
You do not exfiltrate, modify, or destroy data beyond what is needed to demonstrate the issue.
You do not publish details before we have had a reasonable chance to remediate (typically 90 days, sooner by mutual agreement).

We do not currently run a paid bounty program. We will publicly thank researchers who report responsibly, with permission.

Contact security

Vulnerability reports, vendor questionnaires, sub-processor requests, and DPA copies all go to the same address. We acknowledge within one business day.

security@northbeams.com →

Machine-readable: security.txt