Security

Last updated: October 7, 2025

Exposera is hosted entirely on Cloudflare's platform and inherits the strong operational and infrastructure security controls they provide. Below we describe our security practices and our coordinated vulnerability disclosure policy for reporting issues.

Our security approach

Security is a shared responsibility. We operate a small, security-conscious service and rely on Cloudflare for the bulk of infrastructure protections. On top of that, we apply engineering and operational controls to protect user data and keep the service available and resilient.

Infrastructure & edge protections
Cloudflare provides global edge network protections including DDoS mitigation, TLS, a Web Application Firewall (WAF), and routing isolation.
Storage & database
User content is stored on Cloudflare R2 and application data is stored in D1. Access to these services is restricted and audited.
Encryption
We use TLS for data in transit. Data at rest protections are provided by Cloudflare for the storage and database services we use.
Secure development practices
We review code, apply dependency updates, and run automated tests and linters as part of our CI. Sensitive operations are logged and access is limited to authorized personnel.
Incident response
We maintain incident response procedures, monitor for anomalous activity, and will notify affected users if a security incident requires disclosure.

Coordinated vulnerability disclosure

We welcome reports from security researchers and the community. We follow a coordinated vulnerability disclosure process (we do not use the term "responsible disclosure"). Our goal is to acknowledge reports quickly, work with reporters to verify and remediate the issue, and then coordinate public disclosure once fixes are in place.

How to report

Please send security reports to security@exposera.com. When possible include:

A clear summary of the issue and affected URL(s) or API endpoints.
Step-by-step reproduction instructions, proof-of-concept code or screenshots.
Impact description: what an attacker could do and what data might be accessed.
Your preferred contact email and any disclosure preferences.

What we ask of researchers

Do not access, modify, or delete data you are not authorized to access.
Avoid availability-impacting tests (e.g., large-scale DDoS).
Do not publicly disclose the issue until we have had a chance to investigate and remediate, unless we explicitly decline coordination.

Our commitments

Acknowledge receipt of a report within 3 business days whenever possible.
Triage and initial assessment in a timely manner; we'll share status updates with the reporter.
Work with the reporter to test fixes and coordinate disclosure; we generally aim to remediate critical issues as quickly as possible and will target public disclosure once fixes are available.

Note: timelines depend on issue complexity and the need to coordinate with third-party providers (we rely on Cloudflare for infrastructure protections). We will not take legal action against good-faith security researchers who follow this policy.

Additional information

For machine-readable contact information and policy discovery, see our security.txt in the site root: /security.txt or the canonical policy URL: https://exposera.com/security.

If you have other security questions, please email security@exposera.com.