Arclume

Security

Security & Disclosure

We take the security of this site and the data entrusted to us seriously. This page describes how we handle vulnerabilities, what we do to stay secure, and how to reach us if you find a problem.

Responsible Disclosure

If you discover a security vulnerability on arclume.ca or in any system we operate, we ask that you report it to us privately before disclosing it publicly. We commit to:

  • Acknowledging your report within 48 hours
  • Keeping you informed as we investigate and remediate
  • Giving you credit if you'd like, once the issue is resolved
  • Not taking legal action against researchers acting in good faith

We ask that you give us a reasonable window (up to 90 days) to address the issue before any public disclosure.

Report a vulnerability

Email contact@arclume.ca with “Security” in the subject line. PGP encryption is not required but is welcome. Please include a description of the issue, steps to reproduce, and your assessment of its severity.

Our Practices

We follow a set of baseline security practices across all systems we build and operate:

HTTPS everywhere

All traffic is served over HTTPS with HTTP Strict Transport Security (HSTS) enabled, including subdomains. Certificates renew automatically.

Secrets management

API keys and credentials are stored exclusively in environment variables, never committed to source control. We use Vercel's encrypted environment variable system in production.

Dependency hygiene

We keep dependencies up to date and review npm audit results before deploying. High and critical severity advisories are addressed before any production release.

Input validation & rate limiting

All form submissions are validated server-side. The contact API enforces per-IP rate limiting and honeypot checks. Security headers (CSP, X-Frame-Options, nosniff) are set on every response.

Minimal data collection

We collect only what's necessary to respond to inquiries. No cookies, no cross-site tracking, no third-party ad scripts. See our privacy policy for the full data inventory.

Access control

Production credentials follow least-privilege principles. Access is reviewed when team composition changes.

Bug Bounty

We do not currently operate a formal paid bug bounty program. However, we genuinely value reports from the security community. If you report a significant vulnerability in good faith, we will acknowledge it publicly (with your permission) and thank you by name.

Scope

In scope: arclume.ca and any subdomain we operate. Out of scope: denial of service attacks, social engineering of our team, physical access attempts, or reports about third-party services we use (report those directly to the relevant vendor).

security.txt

We publish a security.txt file at the standard location, per RFC 9116.