Security

We take coordinated vulnerability disclosure seriously. The contact channel below is monitored continuously.

Coordinated disclosure

Email: security@nightboxllc.com
Machine-readable policy: /.well-known/security.txt

We acknowledge all good-faith reports within 72 hours and provide a remediation timeline within 7 days. Public credit on request.

Email security posture

• SPF with Google sender authorization
• DKIM 2048-bit RSA, Google Workspace-managed
• DMARC p=reject, strict alignment (BOD 18-01 federal grade)
• TLS-RPT RFC 8460 reporting enabled
• MTA-STS RFC 8461 enforce mode policy published
• MX Google smtp inbound (TLS 1.3)

Web security posture

• HSTS preload-eligible (max-age=63072000; includeSubDomains; preload)
• Content Security Policy default-src 'self', frame-ancestors 'none'
• X-Frame-Options DENY · X-Content-Type-Options nosniff
• Cross-Origin Opener / Resource Policy same-origin
• Permissions Policy camera, microphone, geolocation disabled
• Referrer Policy strict-origin-when-cross-origin

Application security posture

• Vercel Edge runtime — V8 isolate sandbox, no persistent shared state
• Chat agent: Unicode NFKC normalization, 22-pattern injection scanner, output sanitizer for tokens / paths / DNA sequences / infrastructure keywords
• Brand-cloak: provider details never leak to client; all responses identify as Claude
• No persistent customer data in client-facing services

Out-of-scope

• Reports requiring physical access to founder devices
• Social engineering of staff
• Theoretical attacks without working proof of concept