Security // DISCLOSURE

Security Disclosure

The security of our platform and our customers' infrastructure is our highest priority. We welcome responsible security research and will acknowledge your contributions.

Report a Vulnerability

If you believe you've found a security vulnerability in Iddio, please report it responsibly. Do not disclose the vulnerability publicly until we've had a chance to address it.

security@iddio.dev

For encrypted communications, our PGP key is available at iddio.dev/.well-known/security.txt

Response Timeline

24 hours

We acknowledge receipt of your report and assign a tracking identifier.

72 hours

We provide an initial assessment of severity and expected resolution timeline.

90 days

Maximum disclosure window. We aim to resolve critical issues well within this period.

Scope

  • The Iddio command proxy (open-source and managed)
  • The Iddio policy engine and audit system
  • The iddio.dev web application and API
  • Authentication and authorization mechanisms
  • Cryptographic audit log integrity

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who report vulnerabilities responsibly.

Security Practices

  • SOC 2 Type II audited infrastructure (Enterprise tier)
  • All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Cryptographically signed audit logs with tamper detection
  • Regular third-party penetration testing
  • Mandatory code review and security review for all changes
  • Incident response plan with 4-hour SLA for critical issues