Responsible Disclosure
We take security seriously. If you've found a vulnerability in NAMA OS, our marketing site, or our APIs, this page is the fastest way to reach the team that can fix it.
Report a vulnerability
Email hello@getnama.app. Encrypt with our PGP key when possible (linked in security.txt).
Please do NOT open public GitHub issues for security findings. For non-security questions, see our contact options.
What to expect
Acknowledgement within 5 business days
A real human from our security team will confirm receipt and start triage.
Critical fixes within 30 days
CVSS 9.0+ findings (auth bypass, RCE, mass PII exposure) ship a patch within 30 days of confirmed reproduction. Critical fixes also trigger a customer security advisory.
Medium / low fixes within 90 days
Lower-severity findings are batched into the next quarterly hardening sprint and always disclosed to the reporter when shipped.
In scope
- getnama.app + www.getnama.app
- NAMA OS API endpoints under /api/v1/*
- The customer portal at /portal/[bookingId]
- The lead-capture widget served from widget.js
Out of scope
- Third-party SaaS we don't operate (Vercel, Railway, Neon, Resend, OpenRouter — please file with them directly)
- Self-XSS that requires the victim to paste attacker-controlled code into their own console
- Missing security headers without an exploitable scenario
- Rate-limit findings on public endpoints — we monitor + cap these centrally
- Social-engineering of NAMA staff or customers
- Physical attacks against our offices or homes
- DoS / volumetric attacks — please don't run them, we'll trust the report
Hall of fame
We'll list researchers who responsibly disclose here once we receive our first report.
First reporter on a critical finding gets the top slot.
About paid bounties
See also: RFC 9116 security.txt · Platform status · hello@getnama.app