Security

Report a vulnerability

SECURITY.md

Security Policy — BlackRoad OS, Inc.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

Email: security@blackroad.io
Do NOT open a public issue for security vulnerabilities
Do NOT share vulnerability details publicly before a fix is deployed

Response Timeline

Acknowledgment: within 24 hours
Assessment: within 72 hours
Fix: severity-dependent, critical within 7 days

Scope

This policy covers all BlackRoad OS repositories, products, and infrastructure.

Principles

User data belongs to users. Always.
API keys are encrypted at rest.
No plaintext secrets in source code or configuration.
All endpoints use origin-restricted CORS.
Admin operations require authentication.
Rate limiting on all AI-powered endpoints.
XSS sanitization on all user-generated content.

Contact

BlackRoad OS, Inc.
Founder & CEO: Alexa Louise Amundson
security@blackroad.io
https://blackroad.io

There aren’t any published security advisories