Security at Navaris

We take the security of our customers' data seriously. This page describes how to report a vulnerability to us, what's in and out of scope for testing, and what you can expect from us in return.

If you believe you've found a security vulnerability in any Navaris product or service, please report it to us privately rather than disclosing it publicly. We commit to working with you to verify, fix, and acknowledge the issue.

How to report

Email security@getnavaris.com with a description of the vulnerability. We will acknowledge receipt within 2 business days.

A useful report includes:

• A clear description of the vulnerability and its potential impact
• Steps to reproduce, ideally with a proof of concept
• The affected URL, endpoint, parameter, or component
• Your assessment of severity, if you have a view
• Your name and any handle you'd like credited (or a request to remain anonymous)

If you can encrypt the report, attach a public PGP key when you contact us and we'll respond with ours. We do not currently publish a default PGP key.

What to expect from us

We will keep you informed throughout, and we will not publicly disclose details of the issue or your identity without your agreement.

In scope

The following systems are in scope for vulnerability research:

• The Navaris production application — any tenant subdomain you control
• The marketing and authentication domain: getnavaris.com
• The Navaris control plane and admin surfaces
• Any officially-published Navaris API endpoint
• Mobile apps, browser extensions, or desktop clients (when published)

Out of scope

We will not act on reports that fall into the following categories. Please do not test these:

• Denial-of-service (volumetric, slow-loris, application-layer flooding) against any production system
• Social engineering of Navaris employees, contractors, or customers
• Physical attacks on Navaris facilities or hardware
• Spam, phishing, or fraudulent emails sent to Navaris addresses
• Third-party services we integrate with (Microsoft Graph, Google Workspace, Dropbox, Box, Xero, HubSpot, DocuSign, Stripe, Supabase, Vercel, AWS) — report those to the respective vendor
• Tenant subdomains belonging to other customers — you may only test against tenants you have legitimate access to. Cross-tenant access attempts are exactly what we want you to find, but please demonstrate them using two tenants you own.
• Findings from automated scanners without manual verification of exploitability
• Issues that require unrealistic user interaction (e.g. a victim deliberately disabling browser security features)
• Missing security headers that don't lead to a demonstrable attack
• Email spoofing of getnavaris.com or related domains where SPF/DKIM/DMARC is misconfigured (please report directly, but we will not treat as a vulnerability if no exploit chain is demonstrated)
• Best-practice recommendations without a concrete vulnerability (e.g. "you should rotate this key more often")

Safe harbor

When you research and report a vulnerability in good faith and in line with this policy, we will:

• Not initiate or support legal action against you
• Not report you to law enforcement
• Treat your activity as authorised security testing under the UK Computer Misuse Act 1990 and equivalent legislation in other jurisdictions
• Work with you to understand and resolve the issue quickly

In return, we ask that you:

• Stay within the In scope sections above
• Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
• Only access, store, or share the minimum data necessary to demonstrate the vulnerability — and delete it once you've reported
• Do not exfiltrate any data beyond what's needed to prove the issue
• Do not publicly disclose the issue, or share it with third parties, until we've had a reasonable opportunity to fix it (see "Coordinated disclosure" below)
• Do not engage in any activity that could harm our customers or our service

If you're unsure whether a particular activity is permitted, contact us at security@getnavaris.com before you do it and we'll respond.

Coordinated disclosure

We follow a coordinated-disclosure model. After you report a vulnerability:

1. We will work with you to verify and reproduce it
2. We will agree a timeline for the fix, normally within the targets above
3. Once the fix is released and customers have had time to apply it (usually 7 days for SaaS-only fixes, longer if customer action is required), we will be happy for you to publish your findings
4. We may request additional time if a fix is materially complex or requires migration; we will explain why if so

If we cannot reach agreement on a timeline, we will not threaten you for publishing — but we ask that you make a reasonable effort to coordinate.

Recognition

We do not currently operate a paid bug bounty programme. We do maintain a public acknowledgements page (link to be added) and will credit researchers who report valid vulnerabilities, with their consent.

We may move to a formal programme in the future. If we do, researchers who reported issues to us before the programme launched will be considered for retroactive recognition.

Out-of-band issues

If you become aware of a Navaris account being compromised — yours or another customer's — email security@getnavaris.com immediately with the subject line [URGENT] Compromise. We monitor this address continuously.

For non-security customer support, please use the in-app help or support@getnavaris.com — security@ is monitored only for vulnerability reports and incident notifications.

This policy is published in the spirit of disclose.ioand adapted to Navaris's circumstances. Last updated 2026-05-04.