Bug bounty program

Rules

  • We will only pay out for disclosures in scope
  • Duplicates will not be accepted, you must be the first person to report the vulnerability
  • We cannot pay out to sanctioned regions
  • Do not access or test our production instance

Scope

  • Only https://staging-2.canvasapp.com/ is in scope. Do not test or attack our production environment.
  • Issues that significantly affect confidentiality or integrity of user data

Out of scope

  • Production supernova.ai
  • Marketing content, docs, blog content
  • Output from automated scanners
  • No load testing (DoS, DDoS)
  • Self-XSS
  • Social engineering
  • Issues that only affect unsupported browsers (e.g. IE6)
  • Missing or incorrect SPF, DMARC, DKIM records
  • DNSSEC
  • Cookie duration
  • Widely-known vulnerabilities in libraries, including public zero-days
  • Exploits that require user action (e.g. in-browser dev tools)
  • Missing HTTP headers
  • Clickjacking
  • Information disclosure of non-user data
  • CSRF on anonymous forms
  • CSRF attacks that require knowledge of the CSRF token
  • Public key disclosure
  • Issues with third-party services
  • UI/UX issues that do not impact security
  • Attacks that require MITM
  • SSL/TLS best practices
  • Any other trivial bugs

Payouts

  • P1: $200
  • P2: $100
  • P3: $50
  • P4: $25

Disclosure

  1. Email security@supernova.ai with the details, steps to reproduce and proof of concept
  2. If your disclosure is accepted, you will receive further instructions.
  3. If accepted, you will need to provide Form W-9/W-8BEN before your payout can be processed.
© 2025 Infinite Canvas Inc. d/b/a Supernova AI
Twitter logo
LinkedIn logo
Spotify logo