Security Policy

Last Updated: January 26, 2026

Reporting a Vulnerability

⚠️ DO NOT open a public GitHub issue for security vulnerabilities.

If you discover a security vulnerability, please report it responsibly:

Email: security@verifystack.io

PGP Key: Download

Response Timeline

StageTimeframe
Acknowledgment24 hours
Initial Assessment72 hours
Status UpdatesWeekly until resolved
Public Disclosure90 days or when fixed

Severity Levels & Fix Timeline

SeverityDescriptionFix Timeline
CriticalRCE, auth bypass, data breach24 hours
HighPrivilege escalation, data exposure7 days
MediumXSS, CSRF, limited exposure30 days
LowMinor issues, info disclosure90 days

💰 Bug Bounty Program

We offer bounties for valid security reports:

SeverityBounty Range
Critical$1,000 - $5,000
High$500 - $1,000
Medium$100 - $500
LowRecognition

🔒 Our Security Practices

Infrastructure

  • Cloud Provider: Vercel (SOC 2 Type II certified)
  • Database: Managed PostgreSQL with encryption at rest
  • Secrets: Environment variables, never in code
  • Access: Zero-trust architecture, MFA required

Application

  • Authentication: API keys with Argon2id hashing
  • Authorization: RBAC with principle of least privilege
  • Encryption at rest: AES-256-GCM
  • Encryption in transit: TLS 1.3 only
  • Input validation: Zod schema validation on all inputs
  • Rate limiting: Per-customer token bucket

Compliance

  • SOC 2 Type II: In progress (target Q2 2026)
  • Penetration testing: Annual third-party assessment
  • Vulnerability scanning: Continuous
  • Audit logs: Retained 7 years with tamper-evident signatures

Contact

Security Team: security@verifystack.io

General Support: support@verifystack.io

🏆 Security Acknowledgments

No submissions yet — be the first to responsibly disclose a vulnerability!