Legal

Security Policy

Name: CVERiskPilot
Author: CVERiskPilot LLC

Production trust surfaces should read like part of the platform: clear ownership, clear contacts, and a calm documentation standard.

Owner

CVERiskPilot LLC

Effective

March 30, 2026

Location

San Antonio, Texas

Responsible Disclosure

We take the security of CVERiskPilot and our customers' data seriously. If you believe you have found a security vulnerability in our platform, we encourage you to report it responsibly.

How to Report a Vulnerability

Send your report to security@cveriskpilot.com. Please include:

A description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
Any supporting evidence (screenshots, HTTP requests, proof-of-concept code)
Your preferred attribution name if you would like public credit

Our Commitment

Acknowledgment within 24 hours — We will confirm receipt of your report
Assessment within 5 business days — We will evaluate the report and provide an initial assessment
Remediation timeline — Critical issues within 72 hours, high-severity within 14 days
Credit — With your permission, we will publicly acknowledge your contribution
No legal action — We will not pursue legal action against researchers who act in good faith

In Scope

cveriskpilot.com and all subdomains
The @cveriskpilot/scan npm package
Authentication and authorization flaws
Data exposure or cross-tenant leakage
Injection vulnerabilities (SQLi, XSS, SSRF, etc.)
API security issues

Out of Scope

Denial of service (DoS/DDoS) attacks
Social engineering or phishing of employees or customers
Physical attacks against infrastructure
Automated scanning without prior coordination
Issues in third-party services (Stripe, Google, GitHub)

Our Security Practices

AES-256-GCM encryption at rest with Cloud KMS envelope encryption
TLS 1.3 encryption in transit (HSTS preloaded)
Multi-factor authentication (TOTP + WebAuthn/passkeys)
Role-based access control (10 roles, least privilege)
Cloud Armor WAF with OWASP CRS v3.3 rules
Private VPC networking (no public database access)
Tamper-evident audit logging with hash chains
SOC 2 Type II and ISO 27001 certified infrastructure (GCP)
90-day log retention for forensic analysis

Compliance

CVERiskPilot maintains CMMC Level 1 and Level 2 self-assessment support and maps to NIST 800-53, SOC 2, FedRAMP, ASVS, and SSDF frameworks. Our platform helps organizations achieve and maintain compliance across these same frameworks.

Security Contact

Email: security@cveriskpilot.com

PGP: Available upon request

security.txt: /.well-known/security.txt

How to Report a Vulnerability

A description of the vulnerability and its potential impact

Step-by-step instructions to reproduce the issue

Any supporting evidence (screenshots, HTTP requests, proof-of-concept code)

Your preferred attribution name if you would like public credit

Our Commitment

Acknowledgment within 24 hours — We will confirm receipt of your report

Assessment within 5 business days — We will evaluate the report and provide an initial assessment

Remediation timeline — Critical issues within 72 hours, high-severity within 14 days

Credit — With your permission, we will publicly acknowledge your contribution

No legal action — We will not pursue legal action against researchers who act in good faith

Our Security Practices

AES-256-GCM encryption at rest with Cloud KMS envelope encryption

TLS 1.3 encryption in transit (HSTS preloaded)

Multi-factor authentication (TOTP + WebAuthn/passkeys)

Role-based access control (10 roles, least privilege)

Cloud Armor WAF with OWASP CRS v3.3 rules

Private VPC networking (no public database access)

Tamper-evident audit logging with hash chains

SOC 2 Type II and ISO 27001 certified infrastructure (GCP)

90-day log retention for forensic analysis