| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Scrybe never collects Personally Identifiable Information (PII):
- ✅ NO email addresses
- ✅ NO phone numbers
- ✅ NO names
- ✅ NO postal addresses
- ✅ NO government IDs
IP Address Handling:
- IPs are hashed with SHA-256 + salt
- Plain text IPs never stored
- Irreversible one-way hashing
We collect only what's necessary for bot detection:
- Browser fingerprints (canvas, WebGL, audio)
- Behavioral patterns (mouse, scroll, timing)
- Network signals (TLS, HTTP headers)
- All data pseudonymized
In Transit:
- TLS 1.3 only (no TLS 1.2 or earlier)
- Strong cipher suites
- Perfect forward secrecy
At Rest:
- ClickHouse encryption
- Redis encryption (optional)
- Encrypted backups
HMAC-SHA256:
- 256-bit keys minimum
- Constant-time signature verification
- Nonce-based replay attack prevention
- 5-minute timestamp window
Protection Levels:
- 100 requests/sec per IP (ingestion)
- 10 requests/sec per IP (queries)
- Token bucket algorithm
- Automatic blocking on abuse
DO NOT open a public issue for security vulnerabilities.
Instead:
-
Email: [email protected] (create this)
-
Include:
- Description of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
-
Expected response time:
- Critical: 24 hours
- High: 48 hours
- Medium: 7 days
- Low: 30 days
Before submitting PR:
- No hardcoded secrets or credentials
- All input validated and bounded
- No PII collection
- IP addresses hashed
- No sensitive data in logs
- TLS enforced for connections
- Rate limiting applied
- HMAC signatures verified
- Nonces prevent replay attacks
- Constant-time crypto comparisons
Consent (Article 6(1)(a)):
- Explicit consent required for EU visitors
- Consent banner shown before collection
- Easy opt-out mechanism
Article 15 - Right of Access:
- Users can request their data
Article 17 - Right to Erasure:
- Deletion by fingerprint ID supported
- 90-day automatic deletion (TTL)
Article 20 - Right to Portability:
- JSON export available
Template available at docs/legal/dpa-template.md
Last Audit: 2025-01-22
Findings: None
Pentest: Pending
Security Updates:
cargo auditruns on every CI build- Automated dependency updates weekly
- Critical patches applied immediately
- Replay Attacks → Nonce validation
- DDoS → Rate limiting + size limits
- Injection → Input validation + parameterized queries
- Timing Attacks → Constant-time comparisons
- Session Fixation → Secure random IDs
- Data Breaches → No PII + encryption
Active Monitoring:
- Failed authentication attempts
- Rate limit violations
- Unusual traffic patterns
- Dependency vulnerabilities
Procedures:
- Identify scope
- Contain breach
- Assess impact
- Notify affected parties (72h for GDPR)
- Fix vulnerability
- Post-mortem report
Breach Notification:
- Template:
docs/procedures/breach-notification.md - Contact: DPA (if EU users affected)
- Timeline: 72 hours from discovery
Security Team: [email protected]
Privacy Officer: [email protected]
DPO (if required): [email protected]
Last Updated: 2025-01-22
Version: 0.1.0