Безопасность

Coordinated Vulnerability Disclosure

RFC 9116 security.txt опубликован на /.well-known/security.txt. PGP key, 72-hour acknowledgment SLA, 14-day full triage SLA.

Contact: security@nightboxllc.com

Infrastructure posture

• HTTPS everywhere, HSTS preload-eligible, Strict CSP
• Vercel Edge с Cross-Origin-Opener-Policy + Cross-Origin-Resource-Policy
• WAF custom rules + rate limiting + JA4 TLS fingerprinting
• Honeypot rewrites для /wp-admin, /.env, /xmlrpc.php и др. (HTTP 418)
• Geo-block edge: CU/IR/KP/SY (OFAC) + RU/BY (owner-elect)
• 22-pattern injection scanner на input layer chat agent
• NFKC Unicode normalization

Cryptographic primitives (SDPC)

• X25519 ECDH (RFC 7748)
• ML-KEM-1024 / Kyber (NIST FIPS 203) — post-quantum
• HKDF-SHA256
• AES-256-GCM (FIPS 197 + NIST SP 800-38D)
• 96-bit nonce, 128-bit AEAD tag

Compliance attestations

• Section 889 (NDAA 2019) — fully compliant
• NIST 800-171 — self-attested
• CMMC 2.0 Level 1 — self-attested
• OMB M-22-09 Zero Trust — aligned
• NIST AI RMF 1.0 + AI 600-1 — aligned
• CISA Secure by Design Pledge — signed
• NIST SP 800-177r2 email security — aligned
• EO 14028 SBOM (CycloneDX) — published

Полный compliance manifest: /.well-known/full-compliance-attestation.json