Security Disclosures
At Decemble, we train security engineers. We respect the security research community and welcome responsible disclosure of vulnerabilities.
Security Commitment
Decemble takes security extremely seriously and is committed to:
- Maintaining industry-standard security practices
- Promptly addressing security vulnerabilities
- Transparent communication about security issues
- Continuous security improvement
- Protecting user privacy and data integrity
Reporting Vulnerabilities
DO NOT
- ❌ Post vulnerability details publicly
- ❌ Share on social media
- ❌ Exploit the vulnerability
- ❌ Access unauthorized data
- ❌ Execute destructive attacks
DO
- ✓ Report privately to our security team
- ✓ Give us reasonable time to respond
- ✓ Provide detailed technical information
- ✓ Allow 90 days before public disclosure
- ✓ Work with us on verification
How to Report
Send your report to:
security@decemble.com
Include:
- Vulnerability type (SQL Injection, XSS, etc.)
- Location (URL, endpoint)
- Detailed description
- Steps to reproduce
- Impact assessment
- Affected versions
Response Timeline
24 Hours
Acknowledge receipt of report
72 Hours
Initial assessment and triage
7 Days
Provide status update
30 Days
Deploy patch or mitigation (target)
90 Days
Public disclosure (after fix)
Security Standards
We implement industry-standard security:
- SSL/TLS encryption (TLS 1.2+) for all data in transit
- Bcrypt password hashing with salt (10+ rounds)
- PostgreSQL encryption at rest
- JWT authentication tokens with expiration
- CORS properly configured
- Rate limiting protection against brute force
- Input validation and sanitization
- OWASP Top 10 compliance
Development Security
- Code review process for all changes
- Dependency scanning for vulnerabilities
- Static code analysis tools
- Security testing in CI/CD pipeline
- Environment separation (dev, staging, prod)
- Secrets management (no hardcoded credentials)
- Secure password reset mechanisms
Infrastructure Security
- Firewalls and DDoS protection
- Intrusion detection systems
- Web application firewall (WAF)
- Regular security patches
- Monitoring and logging
- Incident response procedures
- Backup and disaster recovery
User Best Practices
To stay secure on Decemble:
- Use a unique, strong password
- Enable two-factor authentication if available
- Never share your password or tokens
- Log out after each session
- Report suspicious activity immediately
- Keep your browser and OS updated
Security Concerns?
For security issues or questions:
Please allow up to 24 hours for initial response.