Security

Last updated: June 7, 2026 - Security contact: [email protected]

Overview

BreachSpider is built by an active ICS/OT vulnerability researcher. We monitor our own stack with BreachSpider -- our CVE coverage applies to the software we run. This page documents our security architecture for enterprise buyers, security teams, and researchers conducting due diligence.

Section 1 -- Infrastructure Security

Hosting

OVHcloud VPS, Ubuntu 24.04 LTS. US-East region. No data leaves the United States.

CDN and WAF

Cloudflare with DDoS protection, WAF rules, and SSL termination at edge. Orange Cloud enabled.

Network Exposure

UFW firewall -- only ports 22 (SSH), 80 (HTTP redirect), and 443 (HTTPS) exposed. API runs on localhost:8000 only.

Database

PostgreSQL 16 on localhost -- not internet-exposed. API uses a restricted role with row-level security enforced.

Section 2 -- Authentication Security

Section 3 -- Data Security

Section 4 -- Operational Security

Section 5 -- Vulnerability Disclosure Policy

Responsible Disclosure

We practice what we preach. If you discover a vulnerability in BreachSpider, please report it responsibly:

In scope: breachspider.com, api.breachspider.com, docs.breachspider.com

Out of scope: social engineering attacks, physical security, third-party services (Cloudflare, Stripe, OVHcloud), denial of service attacks

Machine-readable disclosure policy: /.well-known/security.txt

Section 6 -- Compliance Roadmap

SOC 2 Type II -- In progress
Target completion: Q4 2026. Platform features designed with SOC 2 Trust Services Criteria in mind. Audit log provides evidence for CC6, CC7, CC8 controls.
NERC CIP Alignment
Platform features designed to support CIP-007 (patch management) and CIP-010 (configuration management and vulnerability assessment) workflows.
IEC 62443 Alignment
Platform aligned with IEC 62443-2-1 patch management requirements for OT/ICS environments. BCS scoring incorporates ICS context factors.

Section 7 -- Contact

Security contact: [email protected]
Security disclosure: /.well-known/security.txt
For enterprise security questionnaires, compliance documentation requests, and NDA execution: [email protected]