Security disclosure policy
We welcome reports from security researchers. This page explains how to report a vulnerability and what happens next.
Norma Ltd takes the security of normamade.com seriously. If you believe you have found a vulnerability in our website, API, or infrastructure, we want to hear from you. This policy sets out how to report it, what we treat as in scope, and the commitments we make in return.
How to report
Email security@normamade.com. The same address is published in our security.txt under RFC 9116. Please include:
- A clear description of the issue and the affected URL, endpoint, or component.
- Steps to reproduce it, including any payload, request, or account state needed.
- The impact you believe it has, so we can triage it correctly.
- Your name or handle if you would like to be credited once the issue is fixed.
You do not need to encrypt your report, but if you prefer to, ask us for a key at the address above and we will reply with one.
What to expect from us
- We acknowledge your report within 2 working days.
- We give you an initial assessment, including whether it is in scope, within 5 working days.
- We keep you updated as we work on a fix and tell you when it ships.
- We credit you by name or handle on request once the issue is resolved, unless you ask us not to.
Safe harbour
We will not pursue legal action against you for security research that follows this policy in good faith. If a third party brings a claim against you for activity that complied with this policy, we will make it known that your actions were authorised. Good faith means you stay within the scope below, avoid privacy violations and service degradation, and give us a reasonable chance to fix the issue before you tell anyone else.
In scope
- https://www.normamade.com and its public API endpoints.
- Authentication, session handling, and access-control flaws.
- Injection, cross-site scripting, and cross-site request forgery.
- Exposure of personal data, payment metadata, or design uploads.
Out of scope
- Vulnerabilities in third-party services we use, such as Stripe, Vercel, or Cloudflare. Report those to the relevant provider.
- Denial-of-service and volumetric attacks, or any test that degrades service for others.
- Social engineering of our staff, customers, or suppliers, and physical attacks.
- Reports from automated scanners with no demonstrated impact, missing best-practice headers with no exploit, and email spoofing of domains we do not control.
Guidelines for researchers
- Only interact with accounts you own or have explicit permission to test. Do not access, modify, or delete other people's data.
- Stop as soon as you confirm a vulnerability. Do not pivot further into our systems than you need to in order to prove the issue.
- Keep the details private until we have shipped a fix, and coordinate any public write-up with us first.
Recognition
We do not run a paid bug-bounty programme at launch. We do credit researchers who report valid issues in good faith, and we will say so publicly with your permission. If we introduce a paid programme later, we will update this page.
Other enquiries
For anything that is not a security vulnerability, contact support@normamade.com. For data protection and privacy requests, see our Privacy policy.