What we do, and what we don't

What we do today

• HTTPS everywhere. TLS terminated at Traefik, no plaintext traffic.
• Postgres files encrypted at rest at the host-disk level (Hetzner volume encryption). Note that this protects against physical theft of the disk, not against an attacker who gains read access inside the DB — see the not-yet list below.
• Authentication via NextAuth with bcrypt password hashing.
• Multi-factor authentication (TOTP) and passkey/WebAuthn login.
• Role-based permissions. Candidate, employer, and admin boundaries enforced server-side.
• Blind-screening enforced at the API layer, not just the UI.
• Audit logs. Every admin write action records actor, IP, user-agent, and field-level diff.
• Per-jurisdiction data retention with a daily auto-purge cron.
• Payment data never touches our servers. Stripe holds card numbers, we store only tokens.
• Rate limiting on authentication, payment, and outbound-message endpoints.
• Security incident contact: security@kovafin.com. Acknowledged within 2 business days.

What we don't have yet

Most platforms our age list certifications they don't actually hold, or quietly imply them with vague "enterprise-grade" copy. We'd rather just tell you.

• No ISO 27001, HIPAA, or PCI DSS certification. The platform is not designed to handle PHI; PCI is offloaded to Stripe.
• No third-party penetration test on the books yet. The bug-bounty program below is our compensating control.
• No formal bug-bounty cash payout yet. That's revenue-gated and explicitly committed to (see below).
• Field-level encryption for sensitive PII (TOTP secrets, phone numbers, candidate profile data) is not yet implemented. Disk-level encryption above protects against physical compromise but not against DB read-access. Trajectory is documented; we'll disclose here the day it ships.

In scope

• kovafin.com and all subdomains
• Public API endpoints under /api/
• Authentication and session handling (NextAuth flows, passkeys)
• Authorization across candidate, employer, and admin boundaries
• Payment, billing, and referral-payout flows
• Blind-screening enforcement and audit-log integrity

Out of scope

• Social engineering of Kovafin staff or users
• Physical attacks against any facility or device
• DDoS, stress testing, or anything that degrades service for others
• Self-XSS, clickjacking with no realistic impact, or missing security headers without a working PoC
• Reports produced only from automated scanners with no manual verification
• Third-party services outside our control (Stripe, Postmark, Coolify, etc. - report upstream)

Rules of engagement

• Test only against accounts you own, or a throwaway account you created.
• Do not access, modify, or delete data that is not yours.
• Do not disclose the issue publicly until we have shipped a fix.
• Give us a reasonable window (generally 90 days) before public disclosure.
• Include clear reproduction steps, impact, and affected URLs in your report.

How we recognize researchers

Kovafin is pre-revenue. We can't promise cash bounties yet, and we'd rather be honest about that than float numbers we can't back. What we do offer today:

• Public credit on the Hall of Fame below (with your permission).
• Kovafin swag once we have it printed.
• A lifetime Enterprise-tier account on us.
• A written reference from the founder for your work.
• First seat at the table when cash bounties launch. Revenue-gated, but coming.

When we have the budget, we will publish a paid scale on this page and retroactively credit past reporters against it.

Safe harbor

If you act in good faith, follow these guidelines, and report the issue privately, we will not pursue legal action against you. We treat you as authorized under the Computer Fraud and Abuse Act and equivalent laws. This is a commitment, not a favor.

Hall of fame

Researchers who have reported valid issues will be listed here (with permission). Be the first.