Security Policy

1. Our Security Commitment

Stryda is an AI security platform and holds itself to the same rigorous standards it helps its customers enforce. Security is not a feature — it is foundational to everything we build and deliver.

2. Responsible Disclosure

If you discover a security vulnerability in Stryda's platform, we ask that you report it responsibly:

• Email: audit@stryda.online
• Response time: Acknowledgment within 72 hours, initial assessment within 14 days
• Please include: Description of the vulnerability, steps to reproduce, potential impact, your assessment of severity (CVSS score if possible)
• We will keep you informed of our progress and notify you when the issue is resolved

3. Scope

In scope:

• Authentication and session management
• API endpoints and webhooks
• Payment flow and webhook verification
• Admin panel access controls
• Row Level Security (RLS) policy bypasses
• Rate limiting bypass
• Credit system integrity

Out of scope:

• Social engineering attacks
• Physical security
• Volumetric denial of service
• Third-party services (Supabase, Stripe, PayPal, Cloudflare, Resend)

4. What We Promise

• We will not pursue legal action against researchers who follow this policy
• We will acknowledge your contribution in our release notes (with your permission)
• We follow coordinated vulnerability disclosure (CVD) principles

5. Platform Security Measures

Stryda employs the following security measures to protect the platform and its users:

• Custom JWT with IP-bound admin sessions
• PBKDF2-SHA256 password hashing (100k iterations)
• Atomic credit operations
• Strict CSP headers
• Row Level Security (RLS) on all database tables
• SSRF protection on all user-supplied URLs
• Timing-safe password comparison