Vigil
Start free

Security

Last updated: April 2026

Last updated: 2026-04-29

How to report a vulnerability

If you have found a security issue affecting Vigil, please email security@vigil.junocode.com. We treat security reports as urgent and will acknowledge receipt within 2 business days.

Our coordinated disclosure contact is also published at /.well-known/security.txt per RFC 9116.

What to include

  • A description of the issue and the route or surface affected
  • Reproduction steps or a proof-of-concept
  • Your assessment of severity (we'll calibrate against CVSS v3.1 in our reply)
  • Whether you would like public credit on this page once fixed

What we ask in return

  • Give us a reasonable window to fix before public disclosure — 90 days by default, extendable on request for complex issues.
  • Don't access, modify, or exfiltrate user data beyond what's required to demonstrate the vulnerability. If you accidentally access data, stop, delete it, and tell us.
  • Don't run denial-of-service tests, send spam, or use social engineering against our users or staff.
  • Test against your own account on the live site, or against a free trial — please don't test against other users' data.

Reports made in good faith following the above will not result in legal action from us. We align with industry-standard safe-harbour language.

Out of scope

  • Findings on subprocessor infrastructure (Supabase, Stripe, Resend, Railway, Cloudflare) — please report those to the vendor directly
  • Reports of missing security headers without a demonstrated impact
  • SPF / DMARC nuances unless they enable practical spoofing
  • Self-XSS or issues that require unusual local conditions
  • Reports from automated scanners with no analysis

Our security posture

  • Authentication: Supabase Auth with bcrypt password hashing, PKCE flow for email confirmation, MFA-capable.
  • Transport: HSTS preload-eligible, TLS 1.3, HTTP/2.
  • Data at rest: AES-256 (Supabase managed), full row-level security on every table.
  • Internal endpoints: HMAC-SHA256 signed bodies; vault-managed shared secrets.
  • CSP: Strict default-src; only Stripe is allowed as an external script source.
  • Cookies: Strictly necessary only (Supabase session). No third-party trackers.
  • Payments: Stripe Checkout — we never see raw card numbers; tokenisation is server-to-server.
  • Backups: Daily Supabase managed backups with documented restore procedure.

Hall of thanks

Vigil's coordinated disclosure programme is new — this list is currently empty and we hope to thank you here soon.