We sell ground-truth.
We hold ourselves to it.
Our customers are security researchers. They notice when we cut corners — and so do we. This page documents how we run the service, our disclosure policy, and our compliance roadmap.
Encryption everywhere
TLS 1.2+ for every connection in and out. Data at rest is encrypted with AES-256 on the database tier and object storage.
Strong authentication
Passwords are bcrypt-hashed (rounds=12) with a 12-character minimum. SSO via Google is launching shortly; SAML SSO is on the Business plan.
Least-privilege access
Production database access is gated behind a private network and short-lived credentials, and every internal service runs with the minimum privileges it needs.
Backups & recovery
Point-in-time recovery with daily snapshots retained for 30 days. We test restore drills monthly.
EU-region hosting
Application servers and the primary database run in the EU. Standard contractual clauses cover any data that crosses borders.
Secure development
Every change is peer-reviewed, lint + typecheck-gated, and tested. Dependency updates are reviewed weekly for advisories.
Responsible disclosure
If you find a security issue in VulnVerify itself, please report it to security@vulnverify.com. You can request our public PGP key from the same address.
We commit to: acknowledging your report within 24 hours, providing a triage update within 5 business days, and publicly crediting valid reporters (with permission) once the issue is resolved.
We ask that you: give us reasonable time to address the issue before public disclosure, don't access data beyond what's necessary to prove the issue, and don't disrupt the service for other users.
We're standing up a public bug-bounty program with paid rewards. If you'd like to be notified when it opens, email security@vulnverify.com.
Compliance roadmap
| Framework | Status | Notes |
|---|---|---|
| GDPR | Compliant | DPA available on request; data is processed in the EU region. |
| SOC 2 Type II | In progress | Observation period began Q2 2026. Type II report expected Q4 2026. SOC 2 Type I bridge letter available on request to compliance@vulnverify.com. |
| ISO 27001 | On the roadmap | Planned alongside SOC 2 once we hit team-of-10 size. |
| DPA (EU/UK) | Available | Request via privacy@vulnverify.com. |
Data handling overview
We store the minimum data needed to operate the service: account email, hashed password, organization, subscription tier, your saved searches, watchlists, and alert configurations.
We never sell your data. We never train third-party AI models on your queries. We don't share search history or watchlists with anyone outside our team.
For details on retention, third-party sub-processors, and your rights as a data subject, see our Privacy Policy.