Report a Security Vulnerability

Last modified: June 16, 2025

At Novo, we care deeply about the security and privacy of our customers’ data. If you discover a vulnerability in any of our products or services, we appreciate your help in responsibly reporting it to us. Your efforts help us keep our platform safe for everyone.

How to Report

If you’ve identified a potential security issue that is not listed as out-of-scope, please contact us at security@trynovo.com with:

  • A summary of the issue and potential impact
  • Step-by-step instructions to reproduce the issue
  • Details of your test environment (browser, OS, API client, etc.)
  • Any relevant proof-of-concept code, logs, or screenshots

We will acknowledge your report within 7 business days and keep you updated as we investigate and resolve the issue.

In Scope

Please limit your testing to these environments and interfaces:

Out of Scope

  • Automated or denial-of-service (DoS) attacks of any kind
  • Social engineering (phishing, manipulation, etc.)
  • Testing on production user accounts (other than your own test/demo account)
  • Attacks that require physical access to user devices
  • Vulnerabilities requiring unlikely user interaction
  • Theoretical issues without proof-of-concept or exploitability
  • Missing security headers, CSP, or email best practices unless there is direct risk
  • Outdated browser issues (older than 2 stable versions)
  • Issues involving third-party providers not operated by Novo

Never attempt to access, modify, or delete data belonging to other users or customers. Please do not test against real user data.

Responsible Disclosure

  • Please make a good faith effort to avoid privacy violations, service disruption, or destruction of data.
  • Do not publicly disclose the vulnerability or any details until we have confirmed a fix or provided explicit written permission.
  • If you encounter sensitive or personally identifiable information (PII), stop testing and report it immediately without further access or exfiltration.

Safe Harbor

Any activities conducted in accordance with this policy will be considered authorized conduct. We will not initiate legal action against you if you act in good faith and within these guidelines.

We do not offer monetary rewards or public recognition for disclosures at this time, but we sincerely thank you for helping protect our customers and platform.

If you have any questions about this policy or responsible disclosure at Novo, please contact security@trynovo.com.

Thank you for helping us keep Novo secure.