Security

Responsible Disclosure

We build VeloCMS to be trusted by thousands of bloggers and their readers. Security is not an afterthought — it's a prerequisite. If you've found something that looks wrong, we want to hear from you, and we're prepared to reward good-faith research proportional to its impact.

The program is independent and self-run. No HackerOne platform fees means every dollar of the annual budget goes directly to researchers. We plan to migrate to a managed platform at meaningful revenue scale — until then, this structure keeps things lean and gives us full control over the response process.

How to Report

The fastest path is the structured report form — you'll get an automated acknowledgment within 60 seconds with a report ID. If you prefer email, that works too. For code-level issues (supply chain, dependency chain, secrets in the repo), GitHub Security Advisories keeps the disclosure private until the fix ships.

Preferred — JSON endpoint

POST https://velocms.org/api/security/report
Content-Type: application/json

{
  "researcher_email": "[email protected]",
  "title": "Short summary",
  "description": "Full vulnerability description (50+ chars)",
  "poc": "Proof-of-concept steps (optional)",
  "affected_url": "https://velocms.org/affected-path (optional)"
}

Email [email protected]GitHub Security Advisory

Reward Tiers

Annual budget cap: $5,000 USD. Paid via PayPal or Wise within 30 days of severity assignment.

Severity	USD Range	Examples
Critical	$500 – $2,000	RCE, auth bypass, tenant isolation breach, data breach (>100 tenants)
High	$200 – $500	Privilege escalation, SSRF, persistent XSS, CSRF on critical actions
Medium	$50 – $200	Reflected XSS, broken access control (single user), session fixation
Low	$25 – $50	Minor info disclosure, missing non-critical headers, limited-impact bugs
Informational	$0 + swag	Hardening suggestions, best-practice gaps, no exploitable path

Scope

In Scope

+velocms.org production + /admin
+*.velocms.org tenant subdomains
+Custom-domain tenant blogs
+PocketBase backend (production)
+Stripe webhook handlers
+Email flows (magic link, member verify)
+Plugin marketplace sandbox
+All /api/* routes

Out of Scope

−Social engineering / phishing
−DDoS / volumetric attacks
−Stripe, Resend, Cloudflare, Railway
−Self-hosted VeloCMS deployments
−Theoretical issues without PoC
−Self-XSS (no phishing vector)
−Stale npm CVEs (CI-tracked)
−Staging / localhost environments

Disclosure Timeline

Once you report, here's what happens on our end — and what you can expect at each step.

Within 60 secondsAutomated acknowledgment email with your report ID

Within 48 hoursFounder response: severity assessment + fix timeline

Within 7 daysFormal severity assignment and reward confirmation

Critical: 7 daysFix target (hotfix branch, immediate deploy)

High: 30 daysFix target (next sprint)

Medium: 90 daysFix target (normal sprint queue)

Low: best effortBacklog item

90 days defaultCoordinated disclosure window before public release

Safe Harbor

We will not pursue legal action against researchers who discover and report vulnerabilities through this program in good faith, who don't access or exfiltrate user data beyond what's needed to confirm the issue, and who give us reasonable time to fix before disclosing publicly.

This safe harbor applies to good-faith, in-scope research only. It does not cover activities that cause real harm to users, tenants, or platform infrastructure.

Security Controls & Compliance Posture

At VeloCMS, your content, your readers' data, and your payment credentials stay yours — encrypted, isolated, and never shared between tenants. Every secret you provide (Stripe keys, AI API keys) is wrapped in AES-256-GCM encryption before it touches our database. Tenant data is separated at both the database and application layers, so one blog can never reach another's content. That's not a marketing promise — it's enforced by two independent technical controls running on every request.

The monitoring stack is always on. Sentry catches unhandled errors the moment they happen. UptimeRobot checks every five minutes that the platform is responding. Dependency vulnerabilities get flagged by Dependabot before they ever reach production. And every production change flows through a four-gate verification cycle — type checking, linting, unit tests, and a full build — before it can deploy.

We're actively preparing for SOC 2 Type 1 certification. The technical controls — audit logging, access reviews, encrypted bring-your-own-key credentials, continuous monitoring — have been live since launch. The policy documentation and formal audit engagement are in progress. If you're an enterprise evaluating VeloCMS and need the control matrix or policy library under NDA, get in touch.

Encryption

AES-256-GCM + HKDF envelope for all tenant secrets

Tenant isolation

Dual-layer: PocketBase API rules + application filter registry

Webhook integrity

HMAC-SHA256 on all Stripe webhook events

Access control

Least-privilege credentials; scoped tokens per service

Monitoring

Sentry + UptimeRobot + Logflare — continuous, not periodic

Change management

4-gate CI + conventional commits + Railway auto-deploy from main

Audit logs

Immutable delete rules; every auth event captured

SOC 2 Type 1

Controls live since launch; audit engagement in preparation

For compliance inquiries or to request the SOC 2 control matrix under NDA: [email protected]

Found something? The program is live and rewards are paid.

View Hall of Fame