Security
Overview
BreachSpider is built by an active ICS/OT vulnerability researcher. We monitor our own stack with BreachSpider -- our CVE coverage applies to the software we run. This page documents our security architecture for enterprise buyers, security teams, and researchers conducting due diligence.
Section 1 -- Infrastructure Security
Hosting
OVHcloud VPS, Ubuntu 24.04 LTS. US-East region. No data leaves the United States.
CDN and WAF
Cloudflare with DDoS protection, WAF rules, and SSL termination at edge. Orange Cloud enabled.
Network Exposure
UFW firewall -- only ports 22 (SSH), 80 (HTTP redirect), and 443 (HTTPS) exposed. API runs on localhost:8000 only.
Database
PostgreSQL 16 on localhost -- not internet-exposed. API uses a restricted role with row-level security enforced.
Section 2 -- Authentication Security
- Magic link authentication: no passwords stored or transmitted. No password database to breach.
- Session tokens: SHA-256 hashed, httponly + secure + SameSite=Strict cookies
- API keys: SHA-256 hashed at rest. Raw key shown only once at generation. Format: bs_live_ prefix for easy identification in code reviews and secret scanning.
- Session management: revocable from Account settings. View active sessions and invalidate remotely.
- TOTP/MFA: available on all accounts for additional protection of the magic link flow
- Invite-only member additions: team members cannot self-register -- only org admins can invite
Section 3 -- Data Security
- In transit: TLS 1.2+ enforced via Cloudflare. HSTS headers set.
- At rest: OVHcloud infrastructure-level encryption
- Database isolation: API uses restricted bs_api role, not superuser. Row-level security enforced by org_id on all tables.
- Tenant isolation: all queries filtered by org_id at application layer. Cross-tenant data access is architecturally prevented.
- Asset data: used only to match CVEs for your organization. Never used for any other purpose.
- SAGE queries: sent to Anthropic for inference. Not logged or retained beyond the session in BreachSpider's systems. Subject to Anthropic's data handling policies.
Section 4 -- Operational Security
- Backups: nightly automated backup to offsite FTP (Hostinger). Local backup retained at /root/breachspider_backups/
- Backup retention: 90 days
- Recovery time objective (RTO): 4 hours
- Recovery point objective (RPO): 24 hours (last nightly backup)
- Monitoring: health endpoint at /api/v1/health, systemd service monitoring, Uptime Robot
- Patching: Ubuntu unattended-upgrades enabled for OS-level security patches
- Audit logging: all privileged actions logged with org_id, actor, resource, and IP address. Retention by tier: 30-365 days.
Section 5 -- Vulnerability Disclosure Policy
Responsible Disclosure
We practice what we preach. If you discover a vulnerability in BreachSpider, please report it responsibly:
- Email [email protected] with full details
- Allow 90 days for remediation before public disclosure
- We will not pursue legal action against good-faith researchers operating within scope
- We will credit researchers in release notes upon request
In scope: breachspider.com, api.breachspider.com, docs.breachspider.com
Out of scope: social engineering attacks, physical security, third-party services (Cloudflare, Stripe, OVHcloud), denial of service attacks
Machine-readable disclosure policy: /.well-known/security.txt
Section 6 -- Compliance Roadmap
Target completion: Q4 2026. Platform features designed with SOC 2 Trust Services Criteria in mind. Audit log provides evidence for CC6, CC7, CC8 controls.
Platform features designed to support CIP-007 (patch management) and CIP-010 (configuration management and vulnerability assessment) workflows.
Platform aligned with IEC 62443-2-1 patch management requirements for OT/ICS environments. BCS scoring incorporates ICS context factors.
Section 7 -- Contact
Security contact: [email protected]
Security disclosure: /.well-known/security.txt
For enterprise security questionnaires, compliance documentation requests, and NDA execution: [email protected]