If you discover a security vulnerability in SuperBased, please do not file a public issue. Public disclosure before a fix is in place puts other users at risk.
Instead, email contact@marmut.app with the subject line [SECURITY] and include:
- A description of the vulnerability
- Steps to reproduce (proof-of-concept code is welcome)
- The impact you believe it could have
- Your name or handle if you'd like to be credited in our security acknowledgments
We will:
- Acknowledge receipt within 2 business days.
- Provide an initial assessment within 5 business days.
- Work with you on a coordinated disclosure timeline (typically 30–90 days depending on severity).
- Credit you publicly once the fix is released (if you'd like).
In-scope for security reports:
- The SuperBased desktop application (Windows and macOS builds)
- The SuperBased backend API at
api.superbased.app - The SuperBased web properties:
superbased.app,admin.superbased.app - Authentication, authorization, and session handling
- Any vulnerability that could expose user data, screenshots, API keys, or AI provider credentials
Out-of-scope:
- Issues that require physical access to a user's device
- Social engineering or phishing
- Denial-of-service attacks via volumetric or protocol-level traffic
- Vulnerabilities in third-party services we depend on (please report those to the vendor directly)
- Self-XSS or other issues that require the victim to attack themselves
- Missing security headers on marketing pages with no sensitive data
We will not pursue legal action against good-faith security researchers who:
- Make a reasonable effort to avoid privacy violations and data destruction
- Do not exploit a discovered vulnerability beyond what is necessary to demonstrate it
- Give us reasonable time to fix the issue before public disclosure
- Comply with all applicable laws
Thank you for helping keep SuperBased and its users safe.