Where to report a security issue
If you've found a security issue in Overture — a vulnerability, a data exposure, anything that could put another customer's data at risk — email [email protected]. We respond inside one business day. Good-faith research is welcomed and protected.
How to reach us
- Email: [email protected]
- Subject line: include the word "Security" so it routes to the right inbox.
- Encryption: if you want to use PGP, ask in your first message and we'll send our public key.
Please do not file security issues in our public support channels, GitHub, social media, or general [email protected] queue. Those are not the right place and may delay our response.
What to include in your report
The more we have up front, the faster we can confirm and fix. Helpful details:
- Summary of the issue in one or two sentences.
- Affected component: URL, endpoint, page, or feature.
- Step-by-step reproduction. If a test account would help, tell us — we may set one up for you.
- Impact: what an attacker could do if this is exploited.
- Proof-of-concept if you have one — screenshots, request/response samples, payloads.
- Your name and contact if you'd like credit when we publish a fix.
Our response timeline
| Stage | Target |
|---|---|
| Acknowledge receipt | 1 business day |
| Initial triage and severity assessment | 3 business days |
| Status update or fix ETA | 10 business days |
| Resolution (critical/high) | As fast as we can ship — typically days, not weeks |
| Resolution (medium/low) | Folded into normal release cadence |
Safe harbor for good-faith research
If you're researching in good faith — testing for vulnerabilities, not exploiting them for personal gain or harm — we will not pursue legal action against you, including under the Computer Fraud and Abuse Act, similar laws in other jurisdictions, or Overture's Terms of Service.
To stay inside safe harbor, please:
- Don't access data that isn't yours. Use a test account or your own account.
- Don't degrade service. No DDoS, no automated stress testing against production.
- Don't disclose publicly until we've had a reasonable chance to fix — typically 90 days from acknowledgement.
- Don't extract or retain customer data beyond the minimum needed to demonstrate the issue.
- Don't social-engineer our staff or customers.
What's in scope
app.overture.show— the Overture web application and its API.overture.show— the marketing and help center.- Email and notification delivery flows we control.
- Authentication, authorization, and session handling.
What's out of scope
- Third-party services. Stripe, Resend, Cloudflare, Railway, Supabase — report directly to them. We're happy to help bridge if needed.
- Social engineering of our team or other customers.
- Physical attacks on our offices or staff.
- Denial of service. Volumetric DDoS, resource-exhaustion attempts, etc.
- Spam, phishing, or content abuse by other Overture users — report those to [email protected] instead.
- Issues requiring a compromised endpoint already under attacker control (rooted device, full MitM with installed cert).
- Missing security headers without demonstrated impact, theoretical bugs without a working PoC, automated scanner output with no analysis.
Credit and acknowledgement
We do not currently run a paid bug bounty. We do credit researchers publicly on a security acknowledgements page (in development) when you'd like the credit. If you'd prefer to stay anonymous, that's fine too — just let us know.
If a breach is in progress
If you believe customer data is being actively exposed right now — not a theoretical vulnerability, an in-progress incident — please mark your email URGENT in the subject and we'll page on-call immediately. Include a reachable phone number so we can call you back if email is too slow.