Security

Security & Vulnerability Disclosure Policy

Effective Date: April 19, 2026

1. Our Commitment

SVEN takes the security of our extension and backend infrastructure seriously. We are committed to addressing vulnerabilities responsibly and transparently, in accordance with the EU Cyber Resilience Act (Regulation (EU) 2024/2847).

2. Scope

This policy covers the following assets:

  • The SVEN Chrome Extension (all published versions)
  • The svenpremium.com website and all its subdomains
  • The SVEN backend API and Supabase Edge Functions

The following are out of scope: third-party services we depend on (Supabase, Stripe, Google Cloud, Resend, Cloudflare), the Chrome browser itself, or streaming platforms that SVEN operates on. Please report vulnerabilities in those services directly to their respective security teams.

3. How to Report a Vulnerability

If you have discovered a security vulnerability in any in-scope asset, please report it to us by email:

contact@svenpremium.com

Please include in your report:

  • A clear description of the vulnerability
  • The asset and version affected (e.g. extension version, URL)
  • Steps to reproduce the issue
  • The potential impact as you assess it
  • Any proof-of-concept code or screenshots, if available

You may write in English or Swedish. Encrypted submissions are welcome — contact us first if you require a PGP key.

4. What We Commit To

  • Acknowledgement: We will acknowledge receipt of your report within 5 business days.
  • Assessment: We will assess the severity and validity of the report and provide you with an initial response within 14 days.
  • Remediation: We will work to remediate confirmed vulnerabilities as promptly as possible, prioritised by severity. Critical issues will be addressed within 30 days where technically feasible.
  • Notification: We will notify you when the vulnerability has been fixed and, where appropriate, publicly disclose a security advisory.
  • Credit: With your permission, we will acknowledge your contribution in the relevant security advisory.

5. Responsible Disclosure Guidelines

We ask that you:

  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate it (coordinated disclosure)
  • Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability
  • Do not perform denial-of-service attacks or automated scanning at a scale that degrades our service
  • Do not use social engineering or phishing against SVEN users or staff
  • Act in good faith throughout the process

Researchers who follow these guidelines will not face legal action from SVEN in relation to their security research.

6. Security Updates

Security updates for the SVEN Chrome Extension are delivered through the Chrome Web Store update mechanism. SVEN will receive security updates for as long as it is actively sold and maintained.

When a significant vulnerability is fixed, we will publish a brief advisory on our News page describing the issue, affected versions, and the remediation applied.

7. Regulatory Compliance

This policy is published in compliance with Annex I, Part II of the EU Cyber Resilience Act (Regulation (EU) 2024/2847), which requires manufacturers of products with digital elements to maintain and publish a coordinated vulnerability disclosure policy.

8. Contact

All security-related reports and enquiries should be directed to contact@svenpremium.com. For general support, visit the Support page.