← Back to Home
Security Policy
Our Commitment to Security
As a cybersecurity training platform, security isn't just our mission—it's our foundation. We implement industry-leading security practices to protect your data and privacy.
Responsible Disclosure Policy
We welcome security researchers to help us maintain the security of ThreatRecon. If you discover a security vulnerability, please:
- Report privately: Email security@threatrecon.io with details
- Allow time to fix: Give us 90 days to address the issue
- Act in good faith: Don't exploit the vulnerability or access user data
- No public disclosure: Don't share the vulnerability publicly before we patch it
What to Include in Your Report
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested remediation (if applicable)
- Your contact information
Our Response
- Acknowledgment: Within 48 hours
- Status Update: Within 7 days
- Resolution: Based on severity (critical: 7 days, high: 30 days, medium: 60 days)
Security Measures
Authentication & Access Control
- Bcrypt password hashing (cost factor 12)
- TOTP-based two-factor authentication
- Account lockout after 5 failed attempts
- Password breach checking (Have I Been Pwned)
- Strong password requirements (12+ chars, mixed case, numbers, symbols)
Data Protection
- TLS 1.3 encryption for all data in transit
- AES-256-GCM encryption for sensitive data at rest
- Encrypted database backups
- Principle of least privilege access
- Regular security audits
Application Security
- Content Security Policy (CSP) headers
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options protection against clickjacking
- CSRF token protection
- Rate limiting on all endpoints
- Input validation and output encoding
- SQL injection prevention (parameterized queries)
Contact
- Security Issues: security@threatrecon.io
- PGP Key: Available upon request