Security Policy

Security Policy

Last updated: 8/15/2025

At VibeGuard, security is our core business and our top priority. This policy outlines our security practices, vulnerability disclosure process, and commitment to protecting our users and their data.

1. Security Practices

Infrastructure Security

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)

• Infrastructure hosted on secure cloud providers with SOC 2 compliance

• Regular security audits and penetration testing

• Web Application Firewall (WAF) and DDoS protection

• Isolated environments for development, staging, and production

Application Security

• Secure development lifecycle (SDLC) practices

• Regular dependency updates and vulnerability scanning

• Input validation and output encoding to prevent injection attacks

• Role-based access control (RBAC) with least privilege principle

• Multi-factor authentication (MFA) for all administrative access

Data Security

• Read-only access to customer repositories

• Data retention policies with automatic purging

• Secure secrets management using industry-standard vaults

• Regular backups with encryption and testing

• Data isolation between customers

2. Responsible Disclosure

We appreciate the security research community and welcome responsible disclosure of security vulnerabilities.

Reporting Process

1. Email [email protected] with vulnerability details

2. Include steps to reproduce, impact assessment, and any POC code

3. Allow up to 48 hours for initial response

4. Work with us to understand and resolve the issue

5. Coordinate disclosure timing

What We Promise

• Acknowledge receipt within 48 hours

• Keep you informed about remediation progress

• Credit researchers in our security hall of fame (with permission)

• Not pursue legal action for good-faith research

• Consider bounty rewards for critical vulnerabilities

Out of Scope

• Social engineering attacks

• Physical attacks on infrastructure

• Denial of Service (DoS/DDoS) attacks

• Issues in third-party services not under our control

• Vulnerabilities requiring unlikely user interaction

3. Compliance & Certifications

VibeGuard maintains compliance with:

• SOC 2 Type II (in progress)

• GDPR (General Data Protection Regulation)

• CCPA (California Consumer Privacy Act)

• ISO 27001 (planned)

• OWASP Top 10 security standards

4. Incident Response

In the event of a security incident:

1. Immediate containment and investigation

2. Impact assessment within 24 hours

3. Customer notification within 72 hours if data is affected

4. Detailed incident report and remediation steps

5. Post-incident review and process improvements

5. Security Updates

Security updates and patches are:

• Applied immediately for critical vulnerabilities

• Deployed within 30 days for medium severity issues

• Scheduled quarterly for low-risk improvements

• Announced via status page and email notifications

6. Contact Information

For security-related inquiries:

• Security vulnerabilities: [email protected]

• General security questions: [email protected]

• Bug bounty program: [email protected]

• PGP key available at vibeguard.co/pgp