Breaking Bandwidth we are the one who pings

← back

Security

Report a vulnerability

Send security reports to security@breakingbandwidth.com. Encrypt with PGP if your report contains sensitive details.

We acknowledge receipt within three business days, aim to validate or dispute within fourteen calendar days, and follow a coordinated-disclosure model. The full policy is at /vulnerability-disclosure-policy.

Safe-harbour applies to good-faith reports that follow this policy. We do not operate a bug-bounty programme; researchers who choose to be credited will be credited publicly when their report leads to a fix.

Contact

Security (primary)
security@breakingbandwidth.com
Security (fallback)
hello@breakingbandwidth.com
PGP fingerprint
to be published — request the key by email
security.txt
/.well-known/security.txt

Posture summary

Detailed posture (auth model, tenancy isolation, data classification, residency, audit, incident response) is in our Security Summary, available on request to prospective customers and vendor-risk reviewers. Highlights:

  • Identity and access delegated to WorkOS — SSO, SCIM, MFA per the customer organisation's policy.
  • Four-layer tenant isolation: transport, service, repository, and Postgres Row-Level Security with split database roles.
  • EU-primary data residency. US optional for US-domiciled customers on request.
  • TLS 1.3 in transit, AES-256 at rest, per-tenant envelope encryption for customer secrets.
  • Subscriber identifiers (IMSI, MSISDN, IMEI, SUPI, GUTI) redacted at finding construction; raw values held in a separate, access-logged store.
  • SOC 2 Type I and ISO/IEC 27001:2022 on the roadmap.

Sub-processors

We engage sub-processors to deliver the service. Material changes are announced here with at least thirty days' notice.

Sub-processorFunctionRegion
WorkOSIdentity, SSO, SCIM, audit logsUS/EU
CloudflareDNS, CDN, WAF, DDoSGlobal edge
SentryError trackingEU available
Managed PostgresPrimary datastoreEU
Object storageEvidence and report blobsEU
GitHubSource-code hostingUS

Stripe, Temporal Cloud, observability vendor, transactional email vendor, and webhook delivery vendor are added to the list as those platform features come online.

For procurement teams

The following are available on request via the security contact above:

  • One-page Security Summary (PDF)
  • SIG-Lite-style questionnaire, pre-filled (XLSX)
  • Data Processing Agreement template (DOCX, GDPR Article 28)
  • Current-state attestation against the SOC 2 / ISO 27001 control catalogues, under NDA

Scope

This policy and the Vulnerability Disclosure Policy cover the public website, Breaking Bandwidth product surfaces (Scanner, Acceptance, Pentest) when publicly accessible to customers, and public source-code repositories under github.com/breaking-bandwidth. Findings in third-party services we integrate with should be reported to the operator of that service.