SC-CPE Security
We take security seriously. If you find a vulnerability, we want to hear about it.
Scope
In scope
- Certificate forgery / revocation bypass
- Audit log tampering or chain-break
- Auth bypass on
/api/admin/*or/api/me/* - Cross-user data leakage (dashboard token, cert, attendance)
- XSS / injection reaching the verify portal or PDF issuer
- CSRF on state-changing endpoints
- Rate limit bypass or amplification
- Information disclosure (PII, secrets, stack traces)
Out of scope
- Denial of service without amplification
- Clickjacking on non-sensitive pages
- Best-practice header nits without exploit path
- Theoretical timing attacks on high-entropy tokens
- Social engineering / phishing of users or admins
- Attacks requiring physical access
Rules of engagement
- DO test against the production site:
sc-cpe-web.pages.dev - DO create your own test account for testing
- DO report findings to certs@signalplane.co with
[SECURITY]in the subject - DO include reproduction steps, impact assessment, and suggested fix if possible
- DON'T exfiltrate other users' PII or destroy data
- DON'T spam registration, verification, or chat-code endpoints for volume testing
- DON'T publicly disclose before the fix ships (coordinated disclosure)
- DON'T use automated scanners at high volume — rate limits will trip and you'll poison telemetry
Response SLA
| Stage | Timeline |
|---|---|
| Acknowledgement | 3 business days |
| Triage + initial assessment | 7 business days |
| Fix or mitigation (P0/P1) | 30 days |
Recognition
We don't run a paid bug bounty. Researchers who report valid findings are credited below and in the repo's SECURITY.md. Tell us how you'd like to be credited in your report.
Hall of Fame
Be the first to find a vulnerability and earn your place here.
Defense posture
What you're up against. Source is public — we're not hiding behind obscurity.
- CSP:
script-src 'self'— no inline scripts, no eval, withreport-uriviolation monitoring - SRI: CDN scripts pinned with SHA-384 integrity hashes
- Auth: Constant-time HMAC comparison on bearer tokens,
__Host-prefix cookies with HttpOnly/Secure/SameSite=Strict - Rate limiting: Fail-closed on all endpoints (missing KV = 503, not silent pass). X-RateLimit-* headers on every 429
- CSRF: Origin validation on all state-changing
/api/me/*endpoints - Audit trail: Hash-chained append-only log with UNIQUE index on
prev_hash— tamper-evident by construction - Monitoring: Honeypot traps, security event counters, CSP violation logging, real-time admin dashboard
- CI/CD: CodeQL SAST + gitleaks secret scanning + post-deploy smoke tests on every push
- Certs: PAdES-T signed PDFs with public CRL and independent verification portal
Resources
- security.txt (RFC 9116)
- Privacy policy — security section
- Source code (GitHub)
- SECURITY.md
- robots.txt
This site runs on Cloudflare Pages + Workers + D1. The full source is public. All certificates are PAdES-T signed with a hash-chained audit log. See DESIGN.md for architecture.