Our Security Stance

Authra builds infrastructure for cryptographic Proof-of-Presence (PoP) and last-mile QoE. We prioritize user safety, privacy, and transparency. If you believe you’ve found a vulnerability, we want to hear from you.

Here’s what that might include:

• Basic contact info (like your name, email, or company) when you fill out a form or send us a message

• Analytics data (like page views, time on site, device type, etc.) collected via tools like Google Analytics or Plausible

• Project-related details if you’re working with us — like brand files, content, and feedback

• Any info you choose to share when you email, call, or message us

Safe-harbor commitment

If you follow this policy, Authra will not pursue or support legal action against you for good-faith security research. We consider research to be in good faith when you:

• Avoid privacy violations, data destruction, service degradation, or interruption.

• Do not access, modify, or exfiltrate data you do not own.

• Give us a reasonable time to remediate before public disclosure.

• Comply with applicable laws.

In scope (non-exhaustive)

• authra.io and subdomains owned by Authra

• Public APIs and demo endpoints documented on docs.authra.io

• Open-source client/SDKs under Authra repos

Production validators and private deployments may be out of scope unless we explicitly grant written permission.

Out of scope / prohibited activity

• DDoS or volumetric attacks; resource exhaustion

• Social engineering (including against employees, vendors, or users)

• Physical attacks on facilities or devices

• Spam, phishing, or brute-forcing credentials

• Third-party services where Authra is only a customer

• Automated scanning that degrades performance

• Accessing or attempting to access personal data or precise location data

How to report

Email security@authra.io with:

• A clear description and impact

• Steps to reproduce (PoC), affected endpoints, and logs/screenshots

• Your contact info and preferred disclosure timeline

Optionally include a PGP key/fingerprint; we can encrypt replies on request.

Our response targets

• Acknowledgement: within 72 hours

• Triage & severity rating: within 5 business days

• Remediation window: depends on severity

  • Critical: aim ≤ 14 days

  • High: ≤ 30 days

  • Medium/Low: prioritized in next release cycle

We’ll keep you informed of progress and coordinate public disclosure.

Recognition & bounties

We currently do not run a paid bug bounty. With your consent, we offer Hall-of-Fame credit on authra.io/security once fixed.

Responsible testing guidelines

• Use non-destructive tests.

• Rate-limit your requests; respect robots.txt and headers.

• Never attempt to deanonymize contributors or infer personal identity from coarse-geo data.

• Do not pivot to third parties.

• Stop immediately if you access data that appears sensitive, and report it.

Changes

We may update this policy. The latest version is always on authra.io/security.