At DCYFR Labs, security is fundamental to everything we build. This page outlines our security measures, vulnerability reporting process, and our commitment to transparency.
Last Updated: January 16, 2026
Our Security Commitment
We prioritize security across all our systems and processes through:
- Privacy-First Approach: Minimal data collection by design
- Transparent Practices: Open about our security measures and incidents
- Proactive Monitoring: 24/7 automated security scanning and alerting
- Continuous Improvement: Regular audits and security updates
- Responsible Disclosure: Clear process for reporting vulnerabilities
Security Measures
Infrastructure Security
- HTTPS/TLS 1.3: All connections encrypted with the latest TLS protocol
- Content Security Policy (CSP): Nonce-based CSP Level 2+ preventing XSS attacks
- Subresource Integrity (SRI): External resources verified with cryptographic hashes
- DDoS Protection: Vercel's edge network with built-in attack mitigation
- HSTS: HTTP Strict Transport Security enforcing secure connections
- Security Headers: X-Frame-Options, X-Content-Type-Options, and more
Application Security
- Input Validation: All user inputs validated and sanitized
- SQL Injection Prevention: Parameterized queries and prepared statements
- XSS Protection: CSP enforcement and automatic output escaping
- CSRF Protection: Token-based CSRF protection on all state-changing operations
- Rate Limiting: API endpoints protected with adaptive rate limits
- Session Security: Encrypted sessions with AES-256-GCM, automatic expiration
Data Security
- Encryption in Transit: TLS 1.3 for all data transmission
- Encryption at Rest: AES-256-GCM for session data and sensitive information
- Minimal Data Collection: Only essential data collected (see Privacy Policy)
- No Persistent Tracking: No cookies, no cross-site tracking
- Automatic Data Deletion: Sessions (24-48h), logs (30d), errors (90d)
- Access Control: Strict authentication and authorization for all systems
Monitoring & Detection
- 24/7 Monitoring: Automated security monitoring via Sentry
- Real-Time Alerting: Immediate notifications for security events
- CodeQL Scanning: Automated code analysis for vulnerabilities
- Dependabot: Automated security updates for dependencies
- Monthly Audits: Regular security assessments and penetration testing
- Incident Response: Documented procedures for security incidents
Reporting Security Vulnerabilities
If you discover a security vulnerability, please report it responsibly. We appreciate your efforts to improve our security.
How to Report
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, use one of these secure methods:
- GitHub Security Advisories (Preferred)
- Visit Security Advisories
- Click "Report a vulnerability"
- Provide detailed information using the template
- Direct Contact
- Use our contact form
- Include "SECURITY VULNERABILITY" in the subject line
- Provide all details listed below
What to Include
When reporting a vulnerability, please include:
- Type of Issue: XSS, CSRF, injection, authentication bypass, etc.
- Location: File path, URL, or affected component
- Steps to Reproduce: Detailed, step-by-step instructions
- Impact Assessment: What an attacker could potentially do
- Suggested Fix: If you have one (optional but appreciated)
- Contact Information: For follow-up questions
Response Timeline
- Initial Response: Within 48 hours
- Status Update: Within 5 business days
- Fix Timeline: Based on severity (see below)
Severity Classification
- Critical (24-48 hours): Remote code execution, authentication bypass, data breach
- High (1 week): XSS, CSRF, privilege escalation
- Medium (2 weeks): Information disclosure, DoS vulnerabilities
- Low (4 weeks): Minor information leaks, low-impact issues
Security Best Practices
For Users
- Keep your browser and operating system updated
- Use strong, unique passwords (if authentication features are added)
- Enable two-factor authentication (when available)
- Report suspicious activity immediately
- Verify you're on dcyfr.ai (check the URL and certificate)
- Be cautious of phishing attempts impersonating DCYFR Labs
For Developers
- Follow our security guidelines in CONTRIBUTING.md
- Never commit secrets, API keys, or credentials to the repository
- Run security checks before submitting pull requests
- Review our SECURITY.md in the repository
- Use design tokens (prevents CSS injection vulnerabilities)
- Validate all inputs, sanitize all outputs
- Follow the principle of least privilege
Security Certifications & Compliance
- GDPR Compliant: Privacy by design with minimal data collection
- WCAG 2.1 AA Compliant: Accessibility standards reduce security risks
- CSP Level 2+: Nonce-based content security policy preventing injection attacks
- Automated Scanning: CodeQL, Dependabot, and Lighthouse CI continuous monitoring
- Industry Standards: Following OWASP Top 10 and CWE/SANS Top 25 guidelines
Third-Party Security
We rely on industry-leading providers with strong security certifications:
Vercel (Hosting)
- SOC 2 Type II certified
- ISO 27001 certified
- GDPR and CCPA compliant
- Vercel Security
GitHub (Code Repository)
- SOC 1, SOC 2, and SOC 3 reports
- ISO 27001 and ISO 27018 certified
- Advanced security features (Dependabot, CodeQL, Secret Scanning)
- GitHub Security
Sentry (Error Monitoring)
- SOC 2 Type II certified
- GDPR compliant with PII scrubbing
- Automatic data sanitization
- Sentry Security
Inngest (Background Jobs)
- SOC 2 Type II certified
- GDPR compliant
- Transient data processing (7-day retention)
- Inngest Security
Security Resources
- Security Policy (GitHub) - Detailed vulnerability reporting process
- Security Advisories - Published security notices
- Privacy Policy - How we protect your data
- Terms of Service - Legal agreements and user responsibilities
- Contact Us - Report security concerns
Security Updates
We continuously update our security measures and respond promptly to new threats. This page was last updated: January 16, 2026
For security notices and updates:
- GitHub Security Advisories - Official security announcements
- Activity Feed - Real-time updates on security improvements