Security Policy

REDWIPE focuses exclusively on the external attack surface of your authorized domains. Our scanning covers:

• DNS records (A, AAAA, CNAME, MX, TXT, NS, SOA, SRV)
• Certificate Transparency logs and live TLS certificate analysis
• HTTP endpoints (status codes, headers, technology fingerprinting)
• Publicly exposed services and open ports
• Email security configuration (SPF, DKIM, DMARC)
• Cloud storage bucket enumeration (S3, Azure, GCP)
• Known vulnerability assessment using community and custom templates

REDWIPE does not scan internal networks, private IP ranges, or systems behind firewalls. All scanning is limited to externally reachable assets.

No scanning activity occurs until the domain owner completes our verification process:

1. Domain Registration: The user adds their domain to the REDWIPE dashboard.
2. Authorization Acknowledgment: The user confirms they are authorized to scan the domain by accepting the Scanning Authorization Agreement.
3. DNS TXT Verification: The user adds a unique TXT record to their domain DNS, which REDWIPE verifies before enabling scanning.

Domains that fail verification or have not been authorized cannot be scanned. Free scan functionality is limited to a single external assessment with restricted depth.

Our scanning pipeline operates in five stages, each with specific safety controls:

1. Passive Discovery: Subdomain enumeration, DNS intelligence, certificate analysis, WHOIS lookup, technology profiling, and credential intelligence. No direct interaction with target systems.
2. Active Discovery: HTTP probing, TCP port scanning, cloud asset verification, email security audit, and subdomain takeover detection. Rate-limited to 10 requests per second per host by default.
3. Vulnerability Assessment: Template-based scanning using Nuclei with safety filters that block destructive templates (DoS, fuzzing, brute-force). Severity limits are enforced based on plan tier.
4. Exploit Verification: Safe, non-destructive proof-of-concept testing. All exploit modules have safety controls: max 3 auth attempts, read-only cloud access (max 1KB), benign XSS payloads, auto-release timers for takeover proofs.
5. AI Classification: Machine learning false positive detection, risk scoring, and automated remediation generation. No interaction with target systems.

All scan data is protected with multiple layers of security:

• AES-256 encryption at rest for all stored data
• TLS 1.2+ for all data in transit
• Multi-tenant row-level security (RLS): PostgreSQL RLS policies ensure that each organization can only access its own data. No data leakage between tenants is possible.
• Distroless containers: All services run in minimal containers with no shell access, reducing the attack surface of our own infrastructure.
• Private networking: All database and cache instances are on private networks with no public endpoints.

We welcome security researchers who responsibly disclose vulnerabilities in REDWIPE infrastructure or services.

• Report to: security@redwipe.com
• Response time: We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days.
• Safe harbor: We will not pursue legal action against good-faith security researchers who follow responsible disclosure practices and do not access, modify, or delete customer data.
• Scope: Our web applications (redwipe.com, app.redwipe.com, api.redwipe.com), API endpoints, and authentication systems are in scope. Third-party services (Stripe, Firebase, GCP) are out of scope.

For encrypted communication, our PGP public key is available upon request. Contact security@redwipe.com to request our current PGP key.

The REDWIPE platform is built with security as a foundational requirement:

• Hosted on Google Cloud Platform with SOC 2 Type II certified infrastructure
• Private GKE cluster with no public node IPs and network policies restricting inter-service communication
• No public database or cache endpoints — all data stores are accessible only through private VPC networking
• All container images are built from distroless base images with no shell, no package manager, and minimal attack surface
• Secrets managed through GCP Secret Manager with External Secrets Operator — no secrets in environment variables or code
• Role-based access control (RBAC) with 4 roles and 6 permission types, enforced at every API endpoint

For security-related inquiries:

• SOC 2 Type II: In progress — expected completion Q3 2026.
• ISO 27001: Planned for 2027.
• GDPR: Compliant. See our Privacy Policy for details.
• CCPA: Compliant. California residents have additional rights as described in our Privacy Policy.

• All employees undergo background checks before onboarding.
• Security awareness training is mandatory and conducted quarterly.
• Access to production systems follows the principle of least privilege.
• Multi-factor authentication is required for all internal systems.
• Employee access is reviewed quarterly and revoked immediately upon separation.

REDWIPE maintains a documented incident response plan. In the event of a security incident:

• Initial response: Within 24 hours of detection.
• Customer notification: Within 72 hours for incidents affecting customer data.
• Post-incident review: Within 5 business days, with a root cause analysis and remediation plan.
• Regulatory notification: As required by applicable law (e.g., GDPR supervisory authorities).