Security

Last updated: April 8, 2026

Our Commitment

Security is a core priority at Codunk. We implement industry-standard measures to protect your data, your projects, and your end users. This page describes our security practices and how to report vulnerabilities.

Security Measures

  • Encryption in transit: All connections use TLS 1.2 or higher. HSTS is enforced across all domains.
  • Encryption at rest: Sensitive data (passwords, integration credentials) is encrypted at rest.
  • Authentication: Passwords are hashed using bcrypt. We support email/password, Google, and GitHub OAuth.
  • Data isolation: Row-Level Security (RLS) policies ensure users can only access their own data.
  • Rate limiting: Authentication endpoints, API routes, and deployment endpoints are rate-limited to prevent abuse.
  • Security headers: CSP, X-Frame-Options (DENY), X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy are enforced on all pages.
  • Error monitoring: Automated error tracking helps us detect and respond to issues quickly.
  • Security notifications: Users are notified by email when their password is changed.

Responsible Disclosure Policy

We appreciate security researchers who help us keep Codunk safe. If you discover a security vulnerability, we ask that you disclose it responsibly.

How to report:

  • Email: security@codunk.com
  • Include a detailed description of the vulnerability
  • Include steps to reproduce the issue
  • Include the potential impact
  • If possible, suggest a fix

Our commitment to you:

  • We will acknowledge your report within 48 hours
  • We will provide an initial assessment within 5 business days
  • We will keep you informed of our progress
  • We will not take legal action against researchers who follow this policy
  • We will credit you (if you wish) when the issue is resolved

We ask that you:

  • Do not access, modify, or delete data that does not belong to you
  • Do not disrupt the service or degrade the experience for other users
  • Do not publicly disclose the vulnerability until we have had reasonable time to fix it (minimum 90 days)
  • Do not use automated vulnerability scanners without prior written authorization
  • Act in good faith to avoid privacy violations and service disruption

Scope

The following are in scope for responsible disclosure:

  • codunk.com and all subdomains
  • *.codunk.site (deployed user sites)
  • Codunk API endpoints
  • Authentication and authorization flaws
  • Data exposure or leakage
  • Cross-site scripting (XSS), CSRF, injection attacks
  • Privilege escalation

The following are out of scope:

  • Third-party services (Supabase, Cloudflare, Vercel, Polar) — report directly to them
  • Social engineering or phishing of Codunk employees
  • Denial of service (DoS/DDoS) attacks
  • Content on user-deployed sites (use Report Abuse instead)

Contact

For security concerns:
security@codunk.com

For abuse reports:
abuse@codunk.com

For general inquiries:
contact@codunk.com