Security

How we protect ForgeSec and what to do if you find a vulnerability.

Our security practices

All API keys stored in encrypted environment variables — never in code

All data transmitted over HTTPS with TLS 1.3

Row-level security — users can only access their own scan data

GitHub OAuth for authentication — we never store passwords

Rate limiting on all API endpoints (10 scans/hour per IP)

Backend dependencies audited weekly with pip-audit

ForgeSec scans itself — we eat our own dog food

Responsible disclosure

If you discover a security vulnerability in ForgeSec, please report it privately before public disclosure. We take all reports seriously and will respond within 48 hours.

Email: hello@forgesec.co

Subject: [SECURITY] Brief description

Response time: 48 hours

Fix timeline: 7 days for critical, 30 days for others

Scope

In scope: frontend-five-sepia-44.vercel.app, forgesec-backend-production.up.railway.app, and any forgesec.dev subdomains. Out of scope: third-party services (Supabase, Vercel, Railway), social engineering, and physical attacks.