Security at Vulnetix

Security at a Glance

• Cloudflare-native — Workers, D1, R2, and Workers AI at the edge
• ISO 27001:2022 program — ISMS in place with external audit engagement via Vanta + Digitech Group
• Responsible disclosure — security.txt + PGP and a clear Vulnerability Disclosure Policy

Cloudflare Platform Assurances

Our platform is Cloudflare-native end to end:

• Runtime: Cloudflare's global edge with enterprise-grade horizontal scaling per request, isolation by design, and consistently low latency. Routing, WAF, and TLS termination handled before app code executes.
• Storage: D1 (relational) and R2 (objects) are private by default, accessed only via bound Workers. Data protected in transit with TLS and Cloudflare-managed encryption at rest.
• AI/ML: Workers AI executes entirely inside Cloudflare's network — no model inputs or outputs leave Cloudflare. AI can be disabled per tenant.
• Sovereignty: Compute, storage, and network transmission occur on the Cloudflare edge closest to your users.

Cloudflare holds independently verified ISO 27001/27701, SOC 2, PCI DSS, and related certifications. See Cloudflare Trust Hub.

GitHub Platform Integration

• Authentication: OAuth 2.0 and GitHub App authentication with fine-grained permissions. Short-lived tokens with minimal required scopes.
• Data Security: REST and GraphQL APIs over TLS 1.2+. Repository data accessed read-only with explicit user consent.
• Webhook Security: Signed webhook payloads using HMAC-SHA256 for authenticity verification.
• Privacy & Compliance: GitHub processes data in accordance with GDPR, SOC 2, and other compliance frameworks.

ISO 27001:2022 External Audit

We have engaged Vanta + Digitech Group to prepare and perform an independent ISO 27001:2022 certification audit. As a startup within our first year, we are establishing an ISMS and running internal audits prior to the external Stage 1 and Stage 2 audits.

Audit scope: risk assessment, control implementation, monitoring, incident response, vendor management, and secure development lifecycle.

Vulnerability Disclosure Policy

We welcome good-faith security research. Email security@vulnetix.com encrypted with our PGP key.

In Scope

• Production web applications and APIs under vulnetix.com and subdomains
• Workers API endpoints under /api/*
• Cloudflare R2 buckets (artifacts, webhooks) for other users as accessed through our application

Out of Scope

• Social engineering of Vulnetix staff or customers
• Physical security attacks
• Denial of Service, volumetric or resource-exhaustion testing
• Browser-based attacks targeting a user's local browser context or third-party services
• Automated scanning that degrades service for other tenants (unless coordinated in advance)

Safe Harbor

• If you make a good-faith effort to follow this policy, we will not initiate legal action against you
• Do not access, modify, or exfiltrate data that does not belong to you; use test accounts where possible

Disclosure & Timelines

• Email security@vulnetix.com and encrypt with our PGP key (/pgp-key.txt)
• We acknowledge within 3 business days
• Validated issues remediated within 90 days, prioritised by severity and customer impact
• Please do not publicly disclose details until we confirm a fix or 90 days have elapsed

security.txt

Always available at /.well-known/security.txt

Contact: mailto:security@vulnetix.com
Expires: 2050-01-01T00:00:00.000Z
Preferred-Languages: en
Encryption: https://www.vulnetix.com/pgp-key.txt

PGP public key: /pgp-key.txt

Report a vulnerability: security@vulnetix.com