Security at Dib.io
Securing your data is our top priority. We implement comprehensive security practices and welcome contributions from security researchers.
Our Security Practices
We've built our infrastructure with security in mind, using industry-best practices and modern cloud technologies to protect your data.
Data Encryption
Your data is protected both in transit and at rest:
- HTTPS/TLS for all data in transit
- S3 with AES-256 SSE encryption by default
- HTTPS endpoint policies for secure S3 access
- S3 bucket policies and IAM role restrictions
- Secure database connections with TLS
- Encrypted backups and snapshots
Our S3 implementation includes versioning for protection against accidental deletions, object-level logging for security audits, and cross-region replication for data resilience.
Database Security
We use Neon Postgres with advanced security protections:
- AES-256 encryption for all data at rest
- TLS 1.3 with verify-full SSL mode connections
- 60-bit entropy password requirements
- Row-Level Security (RLS) for data access control
- Secure proxy authentication layer
Neon Postgres provides security features like JWT authentication integration, declarative access policies, and isolated compute environments that automatically scale to zero when not in use.
Secure Infrastructure
We leverage Vercel's enterprise-grade platform security:
- Global edge network with DDoS protection
- Automatic HTTPS and TLS certificate management
- Isolated build environments for secure deployments
- Immutable deployments preventing tampering
- Real-time security patches for infrastructure
Vercel's enterprise security features provide protection against common web attacks, with advanced edge caching and security headers automatically implemented.
Enterprise-Grade Authentication
We use Stack Auth to provide robust identity protection:
- SAML 2.0 and OIDC protocol support
- Multi-factor authentication (MFA)
- PKCE authorization for enhanced security
- JWTs with appropriate expiration policies
- Zero trust architecture principles
Stack Auth's enterprise-grade authentication helps us prevent account takeovers, credential stuffing attacks, and provides visibility into login anomalies.
Application Security
Our development practices enforce security at every stage:
- Regular code scanning for vulnerabilities
- Secure coding best practices
- Dependency vulnerability scanning
- Input validation and output encoding
- Security-focused code reviews
- API rate limiting and authentication
- OWASP Top 10 vulnerability prevention
- Content Security Policy implementation
We employ a shift-left security approach, integrating automated security testing into our CI/CD pipeline. This enables us to identify and remediate potential vulnerabilities before they reach production.
Ongoing Security Development
Security is a journey, not a destination. We're continuously improving our security posture by implementing new protections, conducting regular security assessments, and enhancing our practices based on emerging threats and industry standards.
Bug Bounty Program
Help us strengthen our security by reporting vulnerabilities. We value the contributions of security researchers and offer competitive rewards.
Report via Email
Email us directly with your security findings
You can send your security vulnerability reports directly to our security team at: security@dib.io
Please include detailed information about the vulnerability, steps to reproduce, and potential impact.
Rewards
We offer competitive monetary rewards based on the severity and impact of the vulnerability. Our goal is to fairly compensate security researchers for their valuable contributions to our security posture.
Low Severity
Competitive Reward
Minor issues with limited security impact
Medium Severity
Higher Compensation
Vulnerabilities with significant but contained impact
High Severity
Premium Reward
Critical vulnerabilities with substantial security impact
The final reward amount will be determined based on the severity, impact, and quality of the report. We pride ourselves on offering fair and competitive payments that reflect the value of your security research.
Program Rules
Scope
Our bug bounty program covers:
- All web properties under the dib.io domain
- Our API endpoints and services
- Our main applications and infrastructure
Out of Scope
- Social engineering attacks
- DoS/DDoS attacks
- Physical security issues
- Issues requiring significant user interaction
- Third-party applications or services we don't control
Responsible Disclosure
We ask that you follow responsible disclosure practices:
- Do not access or modify user data without permission
- Do not exploit vulnerabilities beyond what's necessary to demonstrate the issue
- Provide us reasonable time to address issues before public disclosure
- Do not share sensitive information with third parties
Safe Harbor Statement
What we will not do
When conducting vulnerability research according to our bug bounty program guidelines, we will not:
- Pursue legal action against you
- Report you to law enforcement
- Pursue legal actions related to intellectual property
Qualifying conditions
This safe harbor applies as long as your security research:
- Complies with our responsible disclosure guidelines
- Makes a good faith effort to avoid privacy violations, data destruction, and service disruption
- Does not compromise the privacy or safety of our users, staff, or organization
- Only targets the systems and assets within the scope of our bug bounty program
Note: If legal action is initiated by a third party against you and you have complied with our bug bounty policy, we will make this fact known where we have the authority to do so.
Process
Submit Your Report
Confirmation & Triage
Resolution
Reward & Recognition
Contact
If you have any questions about our security practices or bug bounty program, please email us at security@dib.io
We follow the security.txt standard. Our security contact information can also be found at .well-known/security.txt