Security
Responsible Disclosure
If you discover a security vulnerability in BugSpotter, please report it responsibly:
- Email: security@bugspotter.io
- We will acknowledge your report within 48 hours
- We will provide a fix timeline within 5 business days
- We will not pursue legal action against researchers who follow this policy
Scope
The following are in scope for security reports:
- BugSpotter SDK (
@bugspotter/sdk) - Chrome Extension
- Admin Panel (app.kz.bugspotter.io)
- API (api.kz.bugspotter.io)
- Demo instances (demo.kz.bugspotter.io)
Out of Scope
- Social engineering attacks
- Denial of service (DoS/DDoS)
- Vulnerabilities in third-party dependencies (report to upstream)
- Issues in demo data or test accounts
Security Practices
Data Encryption
- All data encrypted in transit — TLS 1.3
- All data encrypted at rest — AES-256
- Database connections use TLS with certificate verification
Client-Side PII Redaction
- 9 built-in patterns: emails, phones, credit cards, SSNs, IINs, IP addresses, API keys, tokens, passwords — masked in the browser before upload
- Compliance presets:
gdpr,pci,financial,kazakhstan,minimal,all - Custom regex patterns for industry-specific data (broker accounts, IBANs, internal IDs)
- Your servers — and ours — never receive raw personal data
Custom pattern example
BugSpotter.init({
sanitize: {
patterns: 'all',
customPatterns: [
{ name: 'broker-account', regex: /FRH\d{9}/gi },
{ name: 'iban-kz', regex: /KZ\d{18}/gi },
],
},
});Authentication
- JWT tokens (access: 24h, refresh: 7d)
- Refresh tokens stored in httpOnly secure cookies (not localStorage)
- Account lockout after 5 failed login attempts (15-minute cooldown)
- API keys: bcrypt-hashed, prefix-only display after creation
Network Capture Security
- Authorization headers, cookies, and API keys are automatically stripped from captured network requests
- Custom header filtering patterns supported via SDK configuration
Infrastructure
- SaaS hosted in the Republic of Kazakhstan (data residency compliance)
- Managed PostgreSQL with automated backups and point-in-time recovery
- Managed Redis with TLS
- S3-compatible object storage with encryption at rest
- Container-based deployment with resource isolation
AI Security
- AI runs on self-hosted Ollama — no data sent to third-party APIs
- LLM inference happens within the same infrastructure as the application
- SaaS customers: AI runs on our servers in Kazakhstan
- Self-hosted customers: AI runs entirely on your infrastructure
Compliance
- Kazakhstan Law №94-V — Personal Data Protection (including July 2024 amendment: 1 business day breach notification)
- Astana Hub — member of the international technopark
- GDPR-ready — client-side PII redaction, data export, deletion on request
- PCI DSS-aware — credit card numbers masked before upload
OWASP Top 10 Self-Assessment
Internal code audit conducted in April 2026 against OWASP Top 10 (2021). All categories passed.
| Category | Status | Key Controls |
|---|---|---|
| A01: Broken Access Control | Pass | Role-based middleware (platform admin, org roles, project roles), API key scoping |
| A02: Cryptographic Failures | Pass | AES-256-GCM encryption, bcrypt password hashing, scrypt key derivation, HSTS |
| A03: Injection | Pass | Parameterized SQL queries, validated identifiers, CSP headers |
| A04: Insecure Design | Pass | Rate limiting (per-IP + per-API-key), Zod schema validation, request body limits |
| A05: Security Misconfiguration | Pass | Helmet security headers, strict CORS validation, no stack traces in production |
| A06: Vulnerable Components | Pass | Modern dependencies, regular updates, no known CVEs as of April 2026 |
| A07: Authentication Failures | Pass | JWT with expiry, httpOnly refresh cookies, magic link time-binding, lockout |
| A08: Data Integrity Failures | Pass | HMAC-SHA256 webhook signatures, timing-safe comparison, replay protection |
| A09: Logging & Monitoring | Pass | Audit logs for all admin actions, sensitive data redacted, failed login tracking |
| A10: SSRF | Pass | Private IP blocking, cloud metadata blocking, alternative encoding detection, isolated-vm sandbox |
This self-assessment covers the backend API and SDK. An independent penetration test is planned for 2026.
Open Source
- SDK: MIT license — fully open source, audit anytime
- Backend: Fair Source — becomes Apache 2.0 after 2 years
- Data stored in standard PostgreSQL + S3 — no vendor lock-in
Contact
For security concerns: security@bugspotter.io
For privacy concerns: privacy@bugspotter.io
For general inquiries: info@bugspotter.io