Data Protection
All reports are encrypted using AES-256 before being published. Decryption occurs entirely within the visitor's browser using the provided access key. No plaintext content is ever transmitted to or stored on a server.
Access Control
Each report is assigned a unique UUID. Access requires both the correct UUID and the corresponding password. These credentials are distributed to recipients through separate, secure channels.
Report Handling
Vulnerability reports contain sensitive information. Handle them in accordance with your organisation's data classification policy. Do not share access credentials or forward reports to unauthorised individuals.
Encryption Details
- Algorithm: AES-256-CBC via the Web Crypto API
- Key derivation: PBKDF2 with SHA-256, 600,000 iterations
- HMAC-SHA-256 signature verification on every decryption
- No server-side storage of decrypted content or keys
Responsible Disclosure
If you discover a security vulnerability in this platform, please report it responsibly:
- Email: neo.nzso@proton.me with subject line SECURITY
- Include a clear description and reproduction steps
- Allow reasonable time for investigation and remediation
- Do not publicly disclose until the issue is resolved
Compliance Alignment
This platform is designed to support compliance with common security frameworks:
- ISO/IEC 27001 — Information Security Management
- NIST Cybersecurity Framework
- GDPR — Data Protection by Design
- SOC 2 — Security and Confidentiality Controls