Noorstream supports responsible disclosure of security vulnerabilities and takes reports seriously. As a security firm, we hold our own infrastructure to the same standards we recommend to clients.
Scope
This policy applies to security vulnerabilities found on noorstream.com and any Noorstream-operated infrastructure.
Unauthorized security testing of Noorstream systems is not permitted. This policy establishes a reporting channel for vulnerabilities discovered through legitimate means only — such as passive observation, review of publicly available information, or discovery during authorized use of our services.
Out of Scope
The following are not considered valid vulnerabilities for this program:
- Denial of service attacks
- Social engineering of Noorstream staff
- Physical security issues
- Reports from automated scanners without verified impact
- Missing security headers or best-practice violations without concrete impact
- Issues on third-party services (Google Workspace, WordPress.com, etc.) — please report to those providers directly
How to Report
Email security@noorstream.com with:
- A description of the vulnerability and its potential impact
- Steps to reproduce
- Affected URL(s) or endpoints
- Any proof-of-concept code or screenshots (optional)
What to Expect
We will acknowledge your report within 5 business days and work to validate findings within 10 business days. We assess reports using CVSS 3.1 and prioritize remediation based on exploitability and business impact. We aim to remediate critical issues within 90 days of validation.
We ask that you give us 90 days from acknowledgment before public disclosure. Extensions may be requested in writing for complex issues. For critical vulnerabilities with active exploitation, we will coordinate expedited disclosure.
We will keep you informed of progress throughout the process.
Rights and Legal Remedies
Noorstream retains all legal rights and remedies against any party who conducts unauthorized security testing, unauthorized access, data exfiltration, or any activity that violates applicable law or our Terms of Service. This policy does not grant authorization for any testing activities.
Contact
security@noorstream.com