Security & Responsible Disclosure

• Transport: TLS 1.2+ for all client-server and inter-service traffic; HSTS is enforced on production origins.
• At rest: customer data is encrypted at rest using modern symmetric algorithms (e.g., AES-256) managed by our cloud provider's KMS.
• Access controls: least-privilege role-based access for production systems, protected by SSO and hardware-backed multi-factor authentication.
• Auditing: we maintain audit logs of privileged actions with retention appropriate to risk.
• Backups: automated, encrypted, and tested on a regular cadence.
• Incident response: documented runbooks, pager-based on-call, post-mortems, and customer notification aligned to applicable breach-notification law.
• Status: operational status is available at https://atlas.wrxstack.com/status; incident history is maintained at https://atlas.wrxstack.com/status/incidents.

Passwords are hashed with a modern memory-hard algorithm (e.g., Argon2 or bcrypt with appropriate cost). Multi-factor authentication is available via TOTP, and optional backup codes. You can also sign in via Google, Microsoft, or GitHub OAuth.

Application-level protections include CSRF tokens on state-changing requests, strict Content Security Policy on marketing pages, secure cookies, and rate limiting on sensitive endpoints. We follow OWASP ASVS guidance as an internal baseline.

1. Email security@wrxstack.com with a detailed description, reproduction steps, and impact analysis. If you need encrypted coordination, follow the notice at https://atlas.wrxstack.com/.well-known/pgp-key.txt.
2. We acknowledge within 3 business days, triage within 7, and target remediation proportionate to severity (critical issues prioritized immediately).
3. Please do not publicly disclose the issue until we have had a reasonable opportunity to remediate - typically 90 days from acknowledgement, sooner by mutual agreement.

• The primary web application on our production domain.
• Our public REST and sync APIs.
• Our official mobile application.
• Our marketing site and public documentation.

• Denial-of-service attacks, load testing, or any attempt to degrade service.
• Social engineering of employees, contractors, or users.
• Physical attacks against offices, data centers, or personnel.
• Findings that require privileged local access to a victim's device.
• Vulnerabilities in third-party services or dependencies we do not control (report to the vendor instead).
• Missing best-practice HTTP security headers on marketing pages without a demonstrable impact.

We will not pursue legal action against good-faith security research that (a) complies with this policy, (b) stays within scope, (c) does not access, modify, or destroy data belonging to other users, (d) reports findings promptly, and (e) does not violate applicable law. If your research is conducted in good faith and in accordance with this policy, we will work with you to understand and remediate the issue, and we will consider your actions authorized under the U.S. Computer Fraud and Abuse Act and equivalent laws in other jurisdictions.

Details of our coordinated disclosure scope, safe harbor, report requirements, and reward posture are maintained at https://atlas.wrxstack.com/security/bug-bounty. Monetary rewards are not guaranteed unless a separate written program term says otherwise.

Security: security@wrxstack.com. Please do not use support channels for vulnerability reports.