Security Policy
Last Updated: January 26, 2026
Reporting a Vulnerability
⚠️ DO NOT open a public GitHub issue for security vulnerabilities.
If you discover a security vulnerability, please report it responsibly:
Email: security@verifystack.io
PGP Key: Request via email
Response Timeline
| Stage | Timeframe |
|---|---|
| Acknowledgment | 24 hours |
| Initial Assessment | 72 hours |
| Status Updates | Weekly until resolved |
| Public Disclosure | 90 days or when fixed |
Severity Levels & Fix Timeline
| Severity | Description | Fix Timeline |
|---|---|---|
| Critical | RCE, auth bypass, data breach | 24 hours |
| High | Privilege escalation, data exposure | 7 days |
| Medium | XSS, CSRF, limited exposure | 30 days |
| Low | Minor issues, info disclosure | 90 days |
💰 Bug Bounty Program
We offer bounties for valid security reports:
| Severity | Bounty Range |
|---|---|
| Critical | $1,000 - $5,000 |
| High | $500 - $1,000 |
| Medium | $100 - $500 |
| Low | Recognition |
🔒 Our Security Practices
Infrastructure
- Cloud Provider: Vercel (SOC 2 Type II certified)
- Database: Managed PostgreSQL with encryption at rest
- Secrets: Environment variables, never in code
- Access: Zero-trust architecture, MFA required
Application
- Authentication: API keys with PBKDF2-SHA256 hashing (100k iterations) and HMAC pepper
- Authorization: RBAC with principle of least privilege
- Encryption at rest: AES-256-GCM
- Encryption in transit: TLS 1.3 only
- Input validation: Zod schema validation on all inputs
- Rate limiting: Per-customer token bucket
Compliance
- SOC 2 Type II: In progress (target Q2 2026)
- Penetration testing: Annual third-party assessment
- Vulnerability scanning: Continuous
- Audit logs: Retained 7 years with tamper-evident signatures
Contact
Security Team: security@verifystack.io
General Support: Submit a support ticket
🏆 Security Acknowledgments
No submissions yet — be the first to responsibly disclose a vulnerability!