Security at bleek

We sell security — so we hold ourselves to the same checklist we sell. Here's our public posture, how to report vulnerabilities, and our security.txt.

Our posture

Strict transport security

HSTS with includeSubDomains + preload (max-age 2 years). Browsers refuse plain HTTP on any bleek.dev subdomain.

Content Security Policy

Tight CSP on every page — no wildcard script sources. Working toward nonce-based scripts to drop `unsafe-inline`.

No source maps in production

Production builds ship without `.map` files so our source isn't browsable.

Read-only scanner

We probe and observe. We never run exploits. We never write to your app.

Session-replay input masking

PostHog session replay runs with maskAllInputs:true. We never record what visitors type.

Email auth (SPF · DKIM · DMARC)

DMARC at p=quarantine on our root domain. Outbound mail signed with DKIM. Stops impersonation in transit.

Found a vulnerability? Tell us.

Email us at security@bleek.dev with a description of the issue, steps to reproduce, and (ideally) the impact. We respond within 2 business days.

Please do not run automated exploitation, do not test on user data you don't own, and don't post details publicly before we've confirmed the fix.

We don't run a paid bug bounty yet, but we credit every reporter in our changelog with their permission.

Machine-readable contact at /.well-known/security.txt per RFC 9116.