Trust & security

Selling security testing means doing security well ourselves.

Here's how CyberGrid handles your data, the principles we apply to our own infrastructure, and how to report a vulnerability if you find one in us.

Data handling

The data CyberGrid stores about your organization, your targets, and your findings.

  • All data encrypted at rest (Neon Postgres) and in transit (TLS 1.2+)
  • Findings are confidential to the customer — never published
  • Reports + attestation PDFs stored in Netlify Blobs, auth-gated download
  • Session cookies HttpOnly, Secure, SameSite=Lax
  • Magic-link tokens hashed (SHA-256) in storage, never plain
  • Account data deleted within 90 days of account closure

Authorized scanning only

Every target is verified via a DNS TXT record before any scan runs. Every pen-test engagement requires a signed Statement of Work and rules-of-engagement document.

  • DNS TXT verification on every automated-scan target
  • Signed scope-of-work + authorization letter for every pen-test engagement
  • Non-destructive default profile; destructive checks require explicit written authorization on a staging environment
  • Documented rate limits (50 req/s default); coordinated test windows

Infrastructure

The hosting and platform choices we made — chosen for security, simplicity, and verifiability.

  • Static site + serverless functions on Netlify (US-East primary)
  • Database on Neon Postgres (encrypted at rest, point-in-time recovery)
  • Email transactional via Resend (SPF / DKIM / DMARC aligned)
  • Payments processed by Stripe (PCI DSS scope is Stripe's)
  • Scan worker on Fly.io (single-region, isolated process)

Operational security

How we run the business day-to-day.

  • 2FA required on all administrative accounts (GitHub, Netlify, Neon, Stripe)
  • Code reviews + signed commits on the production branch
  • Secrets in environment-managed stores (Netlify env, Fly secrets) — never in repo
  • Audit log review on a defined cadence
→ Responsible disclosure

Found a vulnerability in us?

We sell security testing. If you find a vulnerability in CyberGrid itself, please tell us — confidentially — and we'll act on it.

Report to:

What to include

  1. A clear description of the issue and its impact.
  2. Reproduction steps (or proof-of-concept request/response).
  3. Your name + how you'd like to be credited (or anonymous, your call).

What we commit to

  1. Reply within 2 business days acknowledging the report.
  2. Triage within 5 business days with a severity assessment.
  3. Remediation within a target window proportional to severity (24h critical → 30d low).
  4. Credit on this page (with your permission) once the issue is fixed.

We don't currently run a paid bug-bounty program. We do credit responsible reporters publicly and reply quickly. Please don't run automated scans against our production infrastructure without prior coordination at the email above.