Security Disclosures

At Decemble, we train security engineers. We respect the security research community and welcome responsible disclosure of vulnerabilities.

Security Commitment

Decemble takes security extremely seriously and is committed to:

  • Maintaining industry-standard security practices
  • Promptly addressing security vulnerabilities
  • Transparent communication about security issues
  • Continuous security improvement
  • Protecting user privacy and data integrity

Reporting Vulnerabilities

DO NOT

  • ❌ Post vulnerability details publicly
  • ❌ Share on social media
  • ❌ Exploit the vulnerability
  • ❌ Access unauthorized data
  • ❌ Execute destructive attacks

DO

  • ✓ Report privately to our security team
  • ✓ Give us reasonable time to respond
  • ✓ Provide detailed technical information
  • ✓ Allow 90 days before public disclosure
  • ✓ Work with us on verification

How to Report

Send your report to:

security@decemble.com

Include:

  • Vulnerability type (SQL Injection, XSS, etc.)
  • Location (URL, endpoint)
  • Detailed description
  • Steps to reproduce
  • Impact assessment
  • Affected versions

Response Timeline

24 Hours

Acknowledge receipt of report

72 Hours

Initial assessment and triage

7 Days

Provide status update

30 Days

Deploy patch or mitigation (target)

90 Days

Public disclosure (after fix)

Security Standards

We implement industry-standard security:

  • SSL/TLS encryption (TLS 1.2+) for all data in transit
  • Bcrypt password hashing with salt (10+ rounds)
  • PostgreSQL encryption at rest
  • JWT authentication tokens with expiration
  • CORS properly configured
  • Rate limiting protection against brute force
  • Input validation and sanitization
  • OWASP Top 10 compliance

Development Security

  • Code review process for all changes
  • Dependency scanning for vulnerabilities
  • Static code analysis tools
  • Security testing in CI/CD pipeline
  • Environment separation (dev, staging, prod)
  • Secrets management (no hardcoded credentials)
  • Secure password reset mechanisms

Infrastructure Security

  • Firewalls and DDoS protection
  • Intrusion detection systems
  • Web application firewall (WAF)
  • Regular security patches
  • Monitoring and logging
  • Incident response procedures
  • Backup and disaster recovery

User Best Practices

To stay secure on Decemble:

  • Use a unique, strong password
  • Enable two-factor authentication if available
  • Never share your password or tokens
  • Log out after each session
  • Report suspicious activity immediately
  • Keep your browser and OS updated

Security Concerns?

For security issues or questions:

📧 security@decemble.com

Please allow up to 24 hours for initial response.