Security at Dib.io
Securing your data is our top priority. We implement comprehensive security practices and welcome contributions from security researchers.
Our Security Practices
We've built our infrastructure with security in mind, using industry-best practices and modern cloud technologies to protect your data.
Data Encryption
Your data is protected both in transit and at rest:
- HTTPS/TLS for all data in transit
- S3 with AES-256 SSE encryption by default
- HTTPS endpoint policies for secure S3 access
- S3 bucket policies and IAM role restrictions
- Secure database connections with TLS
- Encrypted backups and snapshots
Our S3 implementation includes versioning for protection against accidental deletions, object-level logging for security audits, and cross-region replication for data resilience.
Database Security
We use Supabase with PostgreSQL and advanced security protections:
- AES-256 encryption for all data at rest
- TLS 1.3 with verify-full SSL mode connections
- Row-Level Security (RLS) enforced on all tables
- JWT-based authentication with secure token validation
- Database-level access policies and permissions
- Real-time subscriptions with security filtering
Supabase provides enterprise-grade PostgreSQL with built-in Row-Level Security (RLS) that ensures users can only access data they're authorized to see. Every database query is automatically filtered through security policies at the database level.
Secure Infrastructure
We leverage Vercel's enterprise-grade platform security:
- Global edge network with DDoS protection
- Automatic HTTPS and TLS certificate management
- Isolated build environments for secure deployments
- Immutable deployments preventing tampering
- Real-time security patches for infrastructure
Vercel's enterprise security features provide protection against common web attacks, with advanced edge caching and security headers automatically implemented.
Enterprise-Grade Authentication
We use Supabase Auth to provide robust identity protection:
- OAuth 2.0 and OpenID Connect protocol support
- Multi-factor authentication (MFA) capabilities
- PKCE authorization for enhanced security
- JWTs with secure signing and expiration policies
- Social login providers with secure integration
- Email verification and password reset flows
Supabase Auth provides enterprise-grade authentication with automatic JWT validation, secure session management, and seamless integration with our Row-Level Security policies to ensure authenticated users only access their authorized data.
Application Security
Our development practices enforce security at every stage:
- Regular code scanning for vulnerabilities
- Secure coding best practices
- Dependency vulnerability scanning
- Input validation and output encoding
- Security-focused code reviews
- API rate limiting and authentication
- OWASP Top 10 vulnerability prevention
- Content Security Policy implementation
We employ a shift-left security approach, integrating automated security testing into our CI/CD pipeline. This enables us to identify and remediate potential vulnerabilities before they reach production.
Ongoing Security Development
Security is a journey, not a destination. We're continuously improving our security posture by implementing new protections, conducting regular security assessments, and enhancing our practices based on emerging threats and industry standards.
BUG BOUNTY PROGRAM
Bug Bounty Program
Help us strengthen our security by reporting vulnerabilities. We value the contributions of security researchers and currently offer recognition rewards while we prepare for our funding round.
Program Status: Pre-Launch
Our bug bounty program is not yet fully operational. We will launch with monetary rewards after securing company funding. Security researchers can still report vulnerabilities and will be compensated with exclusive Dib.io stickers and t-shirts until monetary bounties become available.
Report via Email
Email us directly with your security findings
You can send your security vulnerability reports directly to our security team at: security@dib.io
Please include detailed information about the vulnerability, steps to reproduce, and potential impact.
Current Rewards
While we prepare for our funding round, we currently offer recognition-based rewards for security researchers. Once funded, we will transition to competitive monetary rewards based on severity and impact.
Current Rewards
Recognition Package
- Exclusive Dib.io stickers
- Limited edition t-shirts
- Public recognition (if desired)
- Priority access to future programs
Future Rewards
Post-Funding Program
- Competitive monetary rewards
- Severity-based compensation
- Premium payouts for critical issues
- Expanded program scope
We appreciate the patience of security researchers as we work toward launching our full monetary bounty program. All reports submitted during this pre-launch phase will be eligible for retroactive consideration once our program is fully funded.
Program Rules
Scope
Our bug bounty program covers:
- All web properties under the dib.io domain
- Our API endpoints and services
- Our main applications and infrastructure
Out of Scope
- Social engineering attacks
- DoS/DDoS attacks
- Physical security issues
- Issues requiring significant user interaction
- Third-party applications or services we don't control
Responsible Disclosure
We ask that you follow responsible disclosure practices:
- Do not access or modify user data without permission
- Do not exploit vulnerabilities beyond what's necessary to demonstrate the issue
- Provide us reasonable time to address issues before public disclosure
- Do not share sensitive information with third parties
Safe Harbor Statement
What we will not do
When conducting vulnerability research according to our bug bounty program guidelines, we will not:
- Pursue legal action against you
- Report you to law enforcement
- Pursue legal actions related to intellectual property
Qualifying conditions
This safe harbor applies as long as your security research:
- Complies with our responsible disclosure guidelines
- Makes a good faith effort to avoid privacy violations, data destruction, and service disruption
- Does not compromise the privacy or safety of our users, staff, or organization
- Only targets the systems and assets within the scope of our bug bounty program
Note: If legal action is initiated by a third party against you and you have complied with our bug bounty policy, we will make this fact known where we have the authority to do so.
Process
Step 1
Submit Your Report
Submit your vulnerability findings via email. Include all necessary details for our team to understand and reproduce the issue.
Step 2
Confirmation & Triage
Our security team will acknowledge receipt within 48 hours and evaluate the report to determine if it's valid and in scope. We'll classify its severity and prioritize accordingly.
Step 3
Resolution
If valid, we'll work on a fix and keep you updated on our progress. Timeline varies based on severity, but we're committed to resolving issues promptly.
Step 4
Reward & Recognition
Once fixed and verified, we'll determine the reward based on severity and impact. Payment will be processed promptly, and with your permission, we may recognize your contribution.
Contact
If you have any questions about our security practices or bug bounty program, please email us at security@dib.io
We follow the security.txt standard. Our security contact information can also be found at .well-known/security.txt