Security Policy
Last Updated: February 1, 2026
1. Our Security Commitment
Security is the foundation of RacterVault. We are committed to:
- Maintaining zero-knowledge encryption architecture
- Implementing quantum-resistant cryptography
- Regular security audits and penetration testing
- Transparent disclosure of security incidents
- Rewarding security researchers who help us improve
2. Responsible Disclosure Policy
2.1 Reporting Security Vulnerabilities
If you discover a security vulnerability in RacterVault, please report it responsibly:
- Email: security@ractervault.com
- PGP Key: Download our public key
- Bug Bounty: View our bug bounty program
2.2 What to Include
Please provide:
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity assessment
- Proof of concept (if applicable)
- Your contact information for follow-up
2.3 Our Response Process
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Regular Updates: Every 7 days until resolved
- Fix Development: Based on severity (critical: 7 days, high: 30 days, medium: 90 days)
- Public Disclosure: After fix is deployed (coordinated with reporter)
2.4 Safe Harbor
We will not pursue legal action against security researchers who:
- Report vulnerabilities in good faith
- Do not access or modify user data
- Do not disrupt our services
- Follow responsible disclosure practices
- Comply with applicable laws
3. Bug Bounty Program
3.1 Scope
In Scope:
- ractervault.com and subdomains
- Web application (all features)
- Mobile applications (iOS, Android)
- Desktop applications (Windows, macOS, Linux)
- API endpoints
- Cryptographic implementations
Out of Scope:
- Third-party services (payment processors, CDN)
- Social engineering attacks
- Physical security
- Denial of service attacks
- Issues requiring physical access to user devices
3.2 Reward Tiers
| Severity | Description | Reward |
|---|---|---|
| Critical | RCE, authentication bypass, encryption break | $10,000 - $50,000 |
| High | SQL injection, XSS, CSRF, privilege escalation | $2,000 - $10,000 |
| Medium | Information disclosure, IDOR, subdomain takeover | $500 - $2,000 |
| Low | Security misconfigurations, minor issues | $100 - $500 |
3.3 Bonus Rewards
- +50%: Cryptographic vulnerabilities
- +25%: Detailed write-up with fix recommendations
- +25%: First reporter of a vulnerability
3.4 Hall of Fame
With your permission, we'll list your name on our Security Hall of Fame.
4. Security Practices
4.1 Development Security
- Secure coding guidelines
- Code review for all changes
- Static analysis (SonarQube, Semgrep)
- Dynamic analysis (OWASP ZAP)
- Dependency scanning (Snyk)
- Secret scanning (GitGuardian)
4.2 Infrastructure Security
- Principle of least privilege
- Multi-factor authentication for all access
- Encrypted communications (TLS 1.3)
- Regular security updates and patching
- Network segmentation
- Intrusion detection/prevention systems
4.3 Operational Security
- 24/7 security monitoring
- Incident response plan
- Regular backups (encrypted, geographically distributed)
- Disaster recovery procedures
- Employee security training
- Background checks for employees with access
5. Security Audits
5.1 Third-Party Audits
- Penetration Testing: Quarterly by independent firms
- Code Audits: Annual review of cryptographic implementations
- Infrastructure Audits: Annual assessment of security controls
- Compliance Audits: SOC 2 Type II (annual)
5.2 Audit Reports
We publish summaries of security audits (with sensitive details redacted):
6. Incident Response
6.1 Detection
- Automated monitoring and alerting
- Log analysis and anomaly detection
- User reports
- Security researcher disclosures
6.2 Response Process
- Identification: Confirm and assess the incident
- Containment: Limit the impact and prevent spread
- Eradication: Remove the threat and vulnerabilities
- Recovery: Restore normal operations
- Lessons Learned: Post-incident review and improvements
6.3 User Notification
We will notify affected users within 72 hours if:
- Personal data is compromised
- Account security is affected
- Action is required from users
7. Compliance
7.1 Standards and Certifications
- GDPR: Full compliance with EU data protection
- Icelandic DPA: Compliance with local data protection laws
- SOC 2 Type II: In progress
- ISO 27001: Roadmap
7.2 Cryptographic Standards
- NIST-approved algorithms
- Post-quantum cryptography (NIST standardized)
- Regular algorithm reviews and updates
8. Security Resources
8.1 Documentation
8.2 Tools
9. Contact
- Security Team: security@ractervault.com
- Bug Bounty: Submit a report
- PGP Key: Download
- Security Advisories: Subscribe
Help Us Stay Secure
Security is a continuous process. If you discover a vulnerability, please report it responsibly. We're committed to working with the security community to keep RacterVault secure for everyone.
Report a Vulnerability