Security
Security at socbox.
We build a security platform; we hold ourselves to the same standards we ask of our customers. This page covers how to report a vulnerability, what we promise in return, and how we handle the data you trust us with.
Responsible disclosure
If you believe you have found a security vulnerability in any socbox product, please report it to security@socbox.cloud.
We aim to acknowledge every report within 24 hours, triage within 72 hours, and ship a fix within 7 days for critical issues. Researchers who report in good faith are protected by our safe-harbor policy (no legal action) and will be credited in the hall of fame below if they wish.
In scope
- The free public scanner at
socbox.cloud. - The authenticated team platform will be added to scope when it launches.
Out of scope
- Denial-of-service attacks, social engineering, physical attacks against our staff or facilities.
- Vulnerabilities in third-party services we use (please report those upstream).
- Issues that require physical access to a victim's device.
- Content-spoofing or text injection unless it leads to a phishing-grade impact.
Machine-readable disclosure metadata follows RFC 9116 at /.well-known/security.txt.
Data handling
- Encryption at rest — scanner data is encrypted with AES-256. Per-workspace KMS keys are planned for the signed-in tiers.
- Encryption in transit — TLS 1.3 on every public endpoint; HSTS preload-listed.
- Retention — the public scanner only accepts public Git URLs, and results are kept as a public corpus. You can request removal of an individual scan at any time by emailing privacy@socbox.cloud.
- Region pinning — per-workspace region selection for scan workers and SBOM data is planned for the signed-in tiers.
- Access — production access requires a hardware key, is logged, and is reviewed monthly.
Compliance
- SOC 2 Type II: audit in progress.
- GDPR + CCPA: DPA available as a self-serve add-on.
- HIPAA: Business Associate Agreement on paid tiers (coming soon).
- ISO 27001: planned, target Q4 2026.
Hall of fame
Researchers who disclosed vulnerabilities responsibly. Listed in chronological order; thank you all.
- 2026-04 — anonymous (server-side request forgery in scan-trigger endpoint)
- 2026-03 — Mara Ó Súileabháin (token-issue race condition)
- 2026-02 — Sam Tanaka (auth-cookie SameSite hardening recommendation)