Security Look deeper. Find everything.

Security

How we secure Intreys, how we receive vulnerability reports, and what we ask in return.

Security posture

Default-private: all product data stays on your machine. License re-validation sends only a signed token + timestamp.
Cryptographic license tokens: Ed25519-signed, machine-fingerprint-bound.
Password hashing: PBKDF2-SHA256, 600,000 iterations (OWASP 2025 guidance), per-user salt.
Rate-limited auth: 5 attempts/minute, 20/hour per IP.
Persistent token blacklist: revocation survives restart (SQLite-backed).
CSP headers: applied on all responses.
Encrypted at-rest secrets: API keys and provider credentials encrypted with a key derived from the machine fingerprint.
Signed binaries: macOS notarised, Windows SmartScreen-trusted, Linux GPG-signed packages.
Auto-updates: SHA-256 + Ed25519 signature verification before install; rollback on failure.

Reporting a vulnerability

If you believe you’ve found a security vulnerability in Intreys, the desktop app, the marketing site, or the license server, please email [email protected].

We follow our public Vulnerability Disclosure Policy — that page has the full SLA, scope, and safe-harbor language. Short version:

Acknowledgment within 2 business days
Triage within 5 business days
Status updates at least every 14 days until resolution
Coordinated disclosure by default; we ask for 90 days before public disclosure

What's in scope

The Intreys desktop app (all platforms)
intreys.com and subdomains (license.intreys.com, releases.intreys.com, status.intreys.com)
The Cloudflare Worker that backs licensing
Distribution artifacts (.pkg, .exe, .deb, .rpm, Docker)

What's out of scope

Third-party providers (AbuseCH, VirusTotal, etc.) — report to them directly
Cloudflare/Stripe infrastructure issues
Self-XSS or social engineering of CyberShelt staff
Findings on systems where you don’t have authorization to test

Encrypted reports

You can encrypt your report using the PGP public key for [email protected], published at /.well-known/pgp-key.txt.

Note: our production PGP key is being published ahead of v1.0.0 GA — the file at /.well-known/pgp-key.txt is currently a placeholder. If you need to send a sensitive report before the production key is live, email [email protected] and we’ll arrange a secure channel.

security.txt

RFC 9116 security.txt at /.well-known/security.txt.

Recognition

Reporters of valid vulnerabilities are credited (with their consent) on a public Hall of Fame after the fix ships. Cash bounties are not yet a part of the program; that is on roadmap.

Supply chain

Builds run in CI (GitHub Actions) on locked, hash-pinned runners.
Dependencies pinned via uv.lock; weekly audit via pip-audit and cargo audit.
SBOM published with every release at releases.intreys.com.
Code-signing keys held in HSM-backed key vaults; signing happens only on tagged release builds.

Subprocessors

Cloudflare (CDN, Worker, KV, edge DNS)
Stripe (payments)
GitHub (source hosting and CI)
Apple, Microsoft, Linux distributions (code-signing trust chain)

Bug bounty status

Reputational only at GA. Cash bounties are roadmap-dependent on fundraising and program scaling.

Security contact

[email protected] — PGP-encrypted reports welcome.