Security

Security and Responsible Disclosure

How Credensa protects accounts, content, uploads, sessions, AI workflows, and vulnerability reports.

Defense in depth

Credensa uses session protection, rate limits, private storage, security headers, validation, and provider controls.

Security researchers can report vulnerabilities through the published contact and security.txt details.

Researchers should avoid privacy violations, data access, service disruption, extortion, and public disclosure before remediation.

Credensa's application controls are designed to reduce account, upload, API, and AI workflow risk.

HttpOnly session cookies and server-side session checks
Rate limiting and account lockout controls for sensitive auth/API surfaces
Private-by-default object storage for new uploaded files
Input validation, sanitization, security headers, and ownership checks on protected routes
AI provider timeouts, fallback paths, and workflow audit events where configured

Good-faith testing is welcome only when it avoids harm and stays within responsible disclosure boundaries.

Do not access, modify, exfiltrate, delete, or disclose other users' data
Do not run denial-of-service, spam, phishing, social engineering, malware, or destructive tests
Do not exploit beyond the minimum proof needed to demonstrate the issue
Report promptly with reproducible steps, impact, affected URLs, and suggested remediation

Some reports are useful but may not be treated as vulnerabilities unless paired with real impact.

Confirmed security incidents should be triaged, contained, documented, remediated, and communicated where required.

Record discovery time, affected systems, data categories, root cause, containment, and remediation
Preserve evidence and restrict access to incident data
Notify affected users and competent authorities where legally required
Complete a post-incident review and add preventive controls

Send details privately. Do not publicly disclose before Credensa can investigate and remediate.