Security

Security policy

Last updated 2026-04-30

Scope

In-scope systems:

  • brektra.com and all Brektra-operated subdomains
  • The Brektra Engine Docker image (brektra/engine)
  • The Brektra Agent Docker image (brektra/agent)
  • The brektra-cli npm package
  • The Brektra GitHub App

Out of scope:

  • Other Brektra customers' workspaces
  • Denial-of-service against shared infrastructure
  • Social engineering of Brektra employees
  • Physical attacks against Brektra premises
  • Vulnerabilities in third-party services we use (Supabase, Vercel, Anthropic). Report those to the respective vendor.

How to report

Email security@brektra.com with:

  • A clear description of the issue
  • Reproduction steps
  • Affected URL or component
  • Your assessed severity, with reasoning
  • Any proof-of-concept, sanitized of customer data

PGP-encrypted submissions are accepted; request our current public key by email.

Response SLA

  • Acknowledgement: within 48 hours
  • Triage and severity assessment: within 7 days
  • Critical fixes in production: within 14 days
  • High: within 30 days
  • Medium: within 90 days
  • Low: best-effort

Every report receives a final-status email regardless of outcome.

Recognition

Brektra is pre-revenue and currently does not offer monetary bounties or material rewards. We appreciate responsible disclosure. Researchers who report valid findings will receive a written acknowledgment. At our sole discretion, we may publicly credit researchers in a Hall of Fame or security advisory if they request it. We make no promises beyond this acknowledgment.

Safe harbor

Brektra will not pursue legal action, civil or criminal, against researchers operating in good faith within the scope above. You may test against:

  • Your own accounts and your own isolated workspaces
  • Your own engine and agent installations
  • Publicly-documented test targets we publish at /security-policy/test-targets when those exist

Testing against other users' workspaces, denial-of-service of shared infrastructure, social engineering of Brektra employees, or physical attacks are out of scope and not protected.

Coordinated disclosure

We follow a 90-day coordinated disclosure timeline, consistent with our Responsible Disclosure page. Once a fix is shipped (or 90 days have passed, whichever comes first), you may publish your finding.