Find a flaw. Tell us first.
We take security research seriously and we treat the people who do it well. This page is the policy: what's in scope, what isn't, how fast we respond, and how we credit you.
Report a vulnerability
Email security@keyvaultedge.com. Encrypt with our PGP key if the finding is sensitive.
PGP fingerprint: will be published at /.well-known/security.txt.
In scope
keyvaultedge.com and subdomains
The marketing site, dashboard, docs, and any other first-party web property.
The edge proxy
Anything that terminates or forwards a customer request, including token validation, header injection, and rate-limiting logic.
Token minting and rotation
The control-plane endpoints that issue, rotate, and revoke host-bound tokens.
Client SDKs
Official KeyVault Edge SDKs, published under our GitHub organisation.
Crypto and key handling
Any implementation issue in how customer keys are encrypted, wrapped, stored, or decrypted.
Authentication and billing
Account takeover, session fixation, payment bypass, privilege escalation across tenants.
Out of scope
Denial of service
Volumetric attacks, resource exhaustion, and anything that degrades service for other users.
Social engineering of staff or customers
No phishing, pretexting, or physical intrusion attempts.
Third-party services
Issues in our sub-processors (Cloudflare, Supabase, Stripe, etc.). Report those directly to them.
Best-practice findings without a concrete impact
Missing headers, SPF/DKIM misconfiguration, low-severity TLS config, and similar, unless you can demonstrate real impact.
Self-XSS and clickjacking without sensitive state
Findings that require the victim to actively exploit themselves, or that target pages without session-bound actions.
Automated scan output
Unreviewed scanner reports. We require a human-written proof of concept that demonstrates impact.
Rules of engagement
Act in good faith
Test only against your own accounts. Stop immediately if you gain access to another customer's data; report it without pivoting further.
Do not exfiltrate or retain customer data
If a finding incidentally exposes data, minimise what you view, delete any copy you took, and describe the exposure in your report.
Give us time
Do not publish details until we have had a reasonable chance to fix the issue. Timelines are below.
Use the contact address
Public disclosure without prior contact waives the protections in this policy. Use security@keyvaultedge.com first.
We won't take legal action against good-faith research
Research conducted in line with this policy is authorised. We will not pursue civil or criminal action, and we will advocate for you if a third party does.
Response timelines
| Stage | Target |
|---|---|
| Acknowledge receipt | Within 2 business days |
| Initial triage and severity | Within 5 business days |
| Remediation (critical / high) | Within 30 days |
| Remediation (medium / low) | Within 90 days |
| Public disclosure window | 90 days from report, by default |
Rewards and credit
Monetary rewards
We do not currently run a paid bug bounty. As revenue grows, a formal bounty programme is on the roadmap and will be announced here. Until then, we reward researchers with public credit and, at our discretion, swag and goodwill.
Public credit
With your permission, we list researchers who report valid, in-scope issues in our acknowledgments section below and in the related incident post-mortem. Anonymity is respected on request.
Acknowledgments
Researchers who have reported valid issues to KeyVault Edge, in chronological order. Entries are added with the researcher's consent.