Security

Security Policy & Responsible Disclosure

Last updated: 1 April 2026

🛡️

Found a vulnerability?

If you've discovered a security issue in MailSentry or any Normwise service, please report it privately before public disclosure. We commit to responding within 24 hours.

Report to security@normwise.eu

1. Scope

This policy covers all Normwise-operated services, including:

  • mailsentry.normwise.eu and associated subdomains
  • clarity.normwise.eu
  • toolkit.normwise.eu
  • evidentia.one
  • All Normwise APIs and backend infrastructure

Third-party services (e.g. Stripe, Mollie, Hetzner) are not in scope — report issues to those providers directly.

2. Responsible disclosure rules

We ask that you:

  • Report privately first. Email security@normwise.eu before any public disclosure.
  • Give us reasonable time. We ask for a minimum 90-day coordinated disclosure window from the date of your report.
  • Do not access or modify user data. Testing must not extract, alter, or destroy real user data.
  • Do not disrupt services. No DDoS, automated scanning at high volume, or actions that degrade service availability.
  • Do not use social engineering. Attacks against employees or users are out of scope.

3. What to include in your report

A strong report helps us respond faster. Please include:

  • A clear description of the vulnerability and its potential impact
  • Steps to reproduce (proof-of-concept code or screenshots where applicable)
  • The affected URL, endpoint, or component
  • Your contact details if you wish to be kept informed of the fix

4. Our commitments

When you report a valid vulnerability in good faith, we commit to:

  • Acknowledging your report within 24 hours
  • Providing an initial assessment within 5 business days
  • Working with you to understand and resolve the issue
  • Notifying you when the fix is deployed
  • Crediting you in our disclosure (unless you prefer anonymity)

We do not currently offer a paid bug bounty programme, but we value every responsible disclosure and will publicly acknowledge your contribution.

5. What we consider in scope

  • Authentication and authorisation bypasses
  • SQL injection, command injection, SSTI
  • Cross-site scripting (XSS) with meaningful impact
  • Insecure direct object references (IDOR)
  • Data exposure / information leakage
  • CSRF on state-changing requests
  • Server-side request forgery (SSRF)

6. Out of scope

  • Rate limiting on public, non-sensitive endpoints
  • Missing security headers without a demonstrated exploit
  • Self-XSS or attacks that require physical device access
  • Vulnerabilities in third-party libraries (report to the library maintainer)
  • Theoretical attacks without a working proof of concept
  • Social engineering of Normwise staff

7. Infrastructure security

MailSentry is hosted on Hetzner Cloud (Germany), within the EU. We apply the following baseline controls:

  • All traffic served over HTTPS with HSTS enforced
  • DMARC, SPF, and DKIM configured on all Normwise sending domains
  • Database access restricted to application network only; not exposed publicly
  • Session secrets rotated; sessions expire after 7 days
  • Passwords hashed with bcrypt (cost factor 12)
  • Content Security Policy header configured to block inline script injection

8. Contact

Security disclosures: security@normwise.eu
General enquiries: hello@normwise.eu

We do not accept security reports via social media or public issue trackers. All vulnerability reports must be sent to the email address above.