Security Policy

Enterprise-Grade Protection — Last Updated: April 4, 2026

Our Security Philosophy

We follow defense in depth: Multiple layers so no single point of failure can compromise your data.

  • No unencrypted data in transit or at rest
  • All credentials rotated every 90 days
  • 24/7 intrusion detection + incident response
  • Annual third-party penetration testing
  • Bug bounty program (₹50,000 max bounty)
  • Zero tolerance for corner-cutting

Encryption Standards

Data in Transit (Network)
TLS 1.3 mandatory on all connections
Data at Rest (Database)
AES-256-GCM encryption (Supabase managed)
API Keys & Secrets
Never in plaintext. Encrypted with AWS Secrets Manager

Attack Vectors Prevented

Attack TypeProtection
Cost SpiralRate limiting (Redis)
Free PremiumWebhook HMAC-SHA256 verification
Auth BypassJWT signature verification
SSRFURL validation (github.com only)
XSSContent-Security-Policy headers
ClickjackingX-Frame-Options: DENY

Compliance

✅ DPDP Act 2023
India data protection
✅ GDPR
EU user privacy
✅ PCI-DSS
Payment security
✅ OWASP Top 10
All vulnerabilities fixed

Incident Response

If a security breach ever happens, we follow this timeline:

  • T+15 minutes: Incident commander investigates
  • T+1 hour: Assessment complete
  • T+4 hours: Fix deployed
  • T+24 hours: User notification + public disclosure

Bug Bounty Program

🔴 Critical: ₹50,000 (RCE, auth bypass, data breach)

🟠 High: ₹20,000 (SSRF, SQL injection, privilege escalation)

🟡 Medium: ₹5,000 (XSS, CSRF, logic bugs)

🟢 Low: ₹1,000 (information disclosure)

Report to: security@zerotheory.in

Security is a practice, not a checkbox.

We never cut corners. If we get hacked, we lose everything.

For the complete Security Policy, see SECURITY_POLICY.md