BestCoderBestCoder
Start free

Security

Last updated: 2026-04-28 · Vulnerability disclosure: security.txt

This page summarises the technical and organisational measures ("TOMs") BestCoder has in place to protect your data and your service availability. The full TOMs annex is part of the DPA and is available on request.

1. Encryption

  • In transit: TLS 1.3 minimum, HSTS enforced, modern cipher suites only. Agent ↔ control plane channels also use TLS 1.3 with mutual certificate pinning.
  • At rest: AES-256 on all storage tiers (Neon Postgres, Vercel Blob, log archives). OAuth tokens stored in accounts.access_token are doubly encrypted with AES-256-GCM at the application layer using a rotated AUTH_TOKEN_ENCRYPTION_KEY.
  • BYOK secrets in the Agent: stored locally in a libsodium vault sealed with a per-user passphrase; never leave the user's machine.

2. Authentication and access control

  • Customer accounts: bcrypt-hashed passwords, minimum 12 characters, rate-limited (5 attempts/min/IP).
  • GitHub OAuth + Device Flow + Google OAuth supported.
  • Internal access: Single Sign-On with mandatory hardware MFA. No shared accounts. Quarterly access reviews; just-in-time database access via short-lived credentials.
  • RBAC at the project level (owner / admin / member / viewer). Enterprise plans also expose SAML / OIDC / SCIM.

3. Software supply chain

  • Lockfile (package-lock.json) committed; npm audit runs in CI on every PR.
  • Dependabot alerts triaged within 7 days.
  • Container images built reproducibly (Dockerfile multi-stage with pinned base image).
  • The BestCoder Agent binary is signed (Apple notarized, Microsoft Authenticode, Linux GPG-signed AppImage).

4. Logging and monitoring

  • Application logs: 90-day hot retention, 12-month cold (Liberty & Team), 7-year cold (Enterprise).
  • Sentry collects only error signals; PII redaction at the SDK layer.
  • Vercel Analytics + Speed Insights for aggregate request metrics.

5. Incident response

  • Pager duty: 24/7 for Enterprise customers, business-hours for Liberty and Team (response targets in the DPA).
  • Public status page: https://status.bestcoder.app (mirror in case of control plane outage).
  • Post-incident reviews are published within 14 days for any incident affecting the control plane availability or data integrity.

6. Vulnerability disclosure

We follow a coordinated disclosure model. If you believe you have found a vulnerability:

  • Email: security@bestcoder.app
  • PGP: https://bestcoder.app/.well-known/bestcoder-security.pgp (coming soon — PGP key rotation Q3 2026)
  • Acknowledgement: within 72 hours
  • Triage and remediation timeline: Critical 7d / High 30d / Medium 90d
  • Bug bounty: scoped private programme on HackerOne — open the initial report by email and we will scope you in.

We do not pursue legal action against researchers who follow this policy in good faith.

7. Audits and certifications

  • ISO 27001 — in progress (gap analysis Q2 2026, audit Q4 2026).
  • SOC 2 Type II — Tier 1 Enterprise customers receive the annual report on request once available.
  • Internal pentest cadence: at least annual, plus a refresh after any material architecture change.

8. Backups and disaster recovery

  • Database: continuous WAL streaming + daily snapshots, 35-day retention, point-in-time recovery to any second within the window.
  • Cross-region replication for Enterprise customers on request.
  • Tested restore drill: quarterly, recorded in our internal runbook.

9. Hardening checklist

  • CSP frame-ancestors 'self' https://*.bestcoder.app enforced
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy minimal allowlist
  • Strict-Transport-Security 1 year, includeSubDomains, preload
  • CSP nonces on inline scripts
  • Cookies: Secure, HttpOnly, SameSite=Lax (NextAuth) / Strict (CSRF)

If you spot a gap, please file it via the disclosure channel above.