Security & disclosure.

Security is part of the product, not a finishing step. If you’ve found a vulnerability in any 802.software surface — the marketing site, our demo sub-apps, infrastructure we control, or a platform we operate for a client — please tell us. We treat reports as a gift and respond accordingly.

We don’t run a public bug-bounty program with cash rewards at this time. We do offer credit, a written acknowledgement, and direct access to the engineering team for high-quality reports.

Email security@802.software with as much of the following as you can share:

• The affected URL, host, or component.
• The vulnerability class (e.g. XSS, IDOR, SSRF, auth bypass).
• A reproducer — minimal steps, payloads, request/response, or screenshots.
• Suggested impact and severity.
• Any constraints we should know (whether you’ve disclosed elsewhere, your preferred handle for credit, etc.).

PGP-encrypted reports are welcome; reach out to security@802.software and we’ll share a current key on request. A security.txt is published at the root for tooling.

In scope

• 802.software and all subdomains we control (e.g. www, api, apps).
• Demo sub-apps under /apps/mdmotors, /apps/pacelit, and /apps/splitnpay.
• Client platforms we operate, only with that client’s explicit authorization to test. If you’re unsure, ask us first.

Out of scope

• Denial-of-service, volumetric, or stress testing.
• Spam, social engineering against employees or clients, phishing simulations.
• Physical attacks on offices, hardware, or personnel.
• Findings on vendor surfaces we don’t control (Vercel admin, Cloudflare admin, GitHub, etc.) — report those to the vendor.
• Missing security headers, version disclosure, or other low-impact informational findings without demonstrable impact.
• Self-XSS, clickjacking on pages with no sensitive actions, or vulnerabilities requiring a compromised local device.

If you act in good faith — limiting your testing to in-scope assets, avoiding privacy violations, not destroying data, not degrading service, and reporting promptly — we will:

• Not pursue or support legal action against you under the Computer Fraud and Abuse Act (CFAA), the DMCA’s anti-circumvention provisions, or comparable state laws.
• Treat your activity as authorized for purposes of our terms of service and acceptable use.
• Work with you to understand the issue, fix it, and credit you (if you want credit) when remediation is complete.

This safe harbor is limited to acts that are not in violation of applicable law, and to surfaces we control. Where a client’s authorization is needed, we’ll mediate. If your research accidentally goes out of scope, stop immediately, tell us, and we’ll work with you in good faith.

Targets, measured from receipt of a complete report:

• Acknowledgement — within 1 business day (often within hours).
• Triage and severity assessment — within 5 business days.
• Remediation — critical: within 7 days; high: within 30 days; medium: within 60 days; low: within 90 days. Tracked transparently with you.
• Post-remediation — we’ll confirm the fix with you, document the change, and credit you if you’d like.

If we miss a target, we’ll tell you why and adjust. Coordinated disclosure timelines are negotiable for nuanced cases.

We don’t pay cash bounties today. We do offer:

• Public credit (with your preferred handle) in a hall-of-fame section of this page or in release notes.
• A direct intro to the engineer who owns the affected surface.
• Swag, where logistics permit.
• Priority consideration if we open a paid program later.

If we’re operating a client platform under their bug-bounty program, that client’s reward policy applies for findings in their scope.

Our practices scale with engagement risk. For the marketing site and demo apps the surface area is small; for client platforms handling regulated data, the program looks like what you’d expect from a senior team.

Encryption

• TLS 1.2+ (TLS 1.3 preferred) on all public endpoints; HSTS preloaded.
• AES-256 (or equivalent) at rest for personal data we store, with managed-key rotation.
• Secrets stored in a dedicated secrets manager, never in source control.

Identity, access, and devices

• SSO with hardware-key MFA for all critical systems; phishing-resistant authenticators preferred.
• Least-privilege roles and quarterly access reviews.
• Managed laptops with full-disk encryption, automatic patching, and endpoint detection.

Application and platform security

• Threat modeling on new components; written architecture reviews before significant builds.
• Mandatory peer code review; CI runs static analysis, dependency scanning, and secret scanning.
• Strict CSP, secure cookie defaults, and parameterized queries by default — the marketing site CSP is hardened in production (see NODE_ENV branching in our config).
• Backups taken at least daily for client platforms, with restore exercises at least annually.

Monitoring and logging

• Centralized, append-only logs for production systems, with alerting on suspicious patterns.
• Tamper-evident audit trails for sensitive actions.

Vendor management

• Sub-processor vetting before introduction; DPAs in place where personal data is involved.
• Annual review of critical vendors’ SOC 2 / ISO 27001 reports and incident histories.

We design for compliance even when audits aren’t in scope, so platforms we build are ready when our clients need them.

• SOC 2 Type 2 — we’ve helped multiple clients reach Type 2 attestation. Our internal program follows the same control set; happy to share specifics under NDA.
• HIPAA — we’ve built and operated platforms handling PHI under business associate agreements (BAAs). Available on request.
• GDPR / UK GDPR / CCPA / CPRA — DPAs available; we operate as a processor / service provider under your direction.
• PCI DSS — for engagements touching cardholder data, we keep it in scope-minimized environments and prefer tokenization at the payments provider.

Where a framework matters for your engagement, we map controls and document evidence as part of delivery.

Our incident-response process covers detection, containment, eradication, recovery, and post-mortem. Highlights:

• 24/7 reachability for active engagements via on-call rotation; security@802.software is monitored continuously.
• Severity is assigned within hours; impacted clients are notified once we have a confirmed scope.
• For incidents involving personal data, breach notifications align to GDPR’s 72-hour window where applicable, plus any contractual or U.S. state-law timelines.
• Every incident gets a written post-mortem, including timeline, root cause, customer impact, and corrective actions, delivered to affected clients.

Our active sub-processors and the personal data each can access are listed in our Privacy Policy. When we add or change a sub-processor that handles personal data on behalf of a client, we update the list and, where required by the DPA, notify the client in advance.

For all security matters, including disclosure and incident reports:

• Security — security@802.software
• General — hello@802.software
• Postal — 802 Software, LLC, 180 Market Street, South Burlington, VT 05403, US

We aim to acknowledge security mail within one business day. If you don’t hear back, please nudge us — sometimes legitimate reports land in spam filters, and we want to fix that fast.