Legal

Security

Last updated: February 2026

Overview

CyberScore is built and operated by CSNP, a cybersecurity non-profit. Security is central to everything we build. This page describes the technical measures we implement to protect your data and the integrity of our service.

Encryption

In Transit

All data transmitted between your browser and CyberScore is encrypted using TLS (Transport Layer Security). All API requests and responses, authentication tokens, and scan data are protected in transit.

At Rest

All data stored in our database (hosted on Supabase / PostgreSQL) is encrypted at rest using AES-256 encryption. Database backups are also encrypted.

Access Controls

  • Row-Level Security (RLS): Supabase enforces row-level security policies on all database tables. Users can only access their own data. These policies are enforced at the database level, independent of application code.
  • Authentication: User authentication is handled by Supabase Auth with secure session management. Passwords are hashed using bcrypt. Sessions use secure, httpOnly cookies.
  • Domain verification: Business domain scans require ownership verification via DNS TXT records before accessing employee breach data, preventing unauthorized access to organization-level information.

Rate Limiting

CyberScore enforces rate limiting on all API endpoints using Upstash Redis. Rate limits protect the service from abuse, automated bulk scanning, and denial-of-service attempts. Limits are applied per-user and per-IP to maintain service availability for all users.

Security Headers

CyberScore serves responses with security headers including:

  • Content-Security-Policy: Restricts resource loading to prevent cross-site scripting (XSS) attacks.
  • Strict-Transport-Security: Enforces HTTPS connections for all requests.
  • X-Content-Type-Options: Prevents MIME type sniffing.
  • X-Frame-Options: Prevents the site from being embedded in frames to mitigate clickjacking.
  • Referrer-Policy: Controls the information sent in the Referer header.

Infrastructure Security

CyberScore is built on infrastructure providers that maintain industry-standard security certifications:

  • Supabase: SOC 2 Type II certified. Provides database hosting, authentication, and row-level security.
  • Vercel: SOC 2 Type II certified. Provides application hosting, edge network, and DDoS protection.
  • Sentry: SOC 2 Type II certified. Provides error monitoring without collecting personally identifiable information.

Error Monitoring

We use Sentry for error monitoring to detect and resolve issues that affect service reliability. Sentry captures error context, stack traces, and performance data. It is configured to exclude personally identifiable information from error reports.

Responsible Disclosure

If you discover a security vulnerability in CyberScore, we ask that you disclose it responsibly. Please report vulnerabilities to:

security@csnp.org

When reporting, please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce the issue.
  • Any relevant screenshots or proof-of-concept code.

We ask that you allow reasonable time for us to address the issue before any public disclosure. We will acknowledge receipt of your report within 48 hours and provide an estimated timeline for resolution.

Contact

For security-related questions or to report a vulnerability, contact us at security@csnp.org.