Trust & Security

Security at BreachVex

We run offensive security for a living. We hold ourselves to the same standards we ask of our customers.

Responsible Disclosure

If you discover a security issue in BreachVex or our infrastructure, we want to hear from you.

Scope: the breachvex.com domain, our public APIs, the BreachVex worker, and any first-party subdomain.
Safe harbor: we will not pursue legal action against researchers acting in good faith — no DoS, no data exfiltration beyond what is needed to demonstrate impact, no social engineering of staff.
Reporting: email security@breachvex.com with a clear writeup and reproduction steps.
Encrypted reports: request our preferred encrypted channel in your initial email; we will respond out-of-band.
SLA: acknowledgement within 48 hours. Triage and remediation target of 30 days for high/critical issues.
Coordinated disclosure: we agree on a public disclosure date with the reporter on a case-by-case basis.

Out of scope

Denial-of-service or DDoS attacks against our infrastructure.
Social engineering of staff, contractors, or customers.
Vulnerabilities in third-party services we depend on (please report to the upstream vendor).

Data Handling

Workers are ephemeral: each scan runs real, industry-standard offensive tooling in a fresh, single-use isolated container that is destroyed when the scan ends.
Encryption at rest: AES-256 on customer data and scan artefacts. TLS 1.3 in transit.
EU data residency: all infrastructure (hosting, database, CDN) operates in EU regions.
We do not collect personal data inside scans. We extract evidence, not customer records.
Worker logs are kept 7 days for debugging, then purged. Scan reports follow your retention settings.

Infrastructure

Our production architecture:

Sandboxed execution: workers run inside isolated containers with restricted capabilities and no host filesystem access.
Network isolation: each scan runs in its own network namespace; no cross-tenant traffic.
No persistent customer data on workers — state lives in our encrypted database, not on the fleet.

Compliance Roadmap

SOC 2 Type II: compliance roadmap — actively evaluating audit firms, timeline 2027.
ISO 27001: compliance roadmap — actively evaluating audit firms, timeline 2027.
GDPR: privacy-by-design from day one. DPA available on request.

Authorization & Scope

Customers must sign an authorization statement before any scan starts. We refuse to scan assets without explicit, written scope. Running a pentest without authorization is illegal in most jurisdictions — we won't be a party to it.

Hall of Fame

Researchers who reported valid issues will be credited here — with their consent. No reports received yet.