Security Policy

We take security seriously. If you have found a vulnerability in any PrivDNA system, we want to hear about it. This page describes how to report issues responsibly and what you can expect in return.

Reporting a vulnerability

Email security@privdna.com. Please do not disclose the issue publicly until we have had a reasonable opportunity to address it.

Include as much detail as you can:

• A description of the vulnerability
• Steps to reproduce
• The potential impact
• Any suggested mitigations
• Screenshots, logs, or proof-of-concept code if relevant

This contact is also published in our security.txt (RFC 9116).

What to expect

• Within 72 hours — we will acknowledge receipt of your report.
• Within 7 days — we will provide an initial assessment and confirm whether the issue is valid.
• Within 30 days — we aim to have a fix deployed for confirmed vulnerabilities.

Scope

In scope

• privdna.com (this website)
• The waitlist signup flow and unsubscribe endpoints
• Authentication, session, or credential handling on any PrivDNA system
• Data exposure, unauthorized access, or integrity issues affecting any data PrivDNA holds
• Cryptographic implementation issues in our open-source code at github.com/danthi123/PrivDNA

Out of scope

• Social engineering or phishing attacks against PrivDNA staff or customers
• Denial of service (DoS or DDoS) attacks
• Vulnerabilities in third-party services we depend on (Cloudflare, Vercel, our email provider, etc.) — please report those upstream
• Issues that require physical access to PrivDNA infrastructure
• Automated vulnerability scanning conducted without prior coordination
• Reports from automated tools without manual verification
• Best-practice deviations with no demonstrated security impact (missing headers, software version disclosure, etc.)

Our physical sequencing infrastructure is air-gapped by design. Once it is operational, on-site testing scope and rules of engagement will be published separately. Until then, on-site testing is out of scope.

Safe harbor

We consider security research conducted in accordance with this policy to be authorized, and we will not pursue legal action against researchers who:

• Act in good faith to avoid privacy violations, data destruction, and service disruption
• Only interact with accounts they own or with explicit permission of the account holder
• Report vulnerabilities promptly and do not exploit them beyond what is necessary to demonstrate the issue
• Do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them (we ask for at least 90 days)

If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will take steps to make your good-faith conduct known.

How we protect your data

Our current public surface area is small, and we keep the protections concrete:

• TLS 1.3 in transit, enforced site-wide with HSTS preload
• AES-256-GCM encryption of waitlist email values at rest
• scrypt key derivation for passphrase-to-key generation
• HMAC-SHA256 hashing for duplicate detection (irreversible)
• SQLCipher full-database encryption
• Strict Content Security Policy, X-Frame-Options DENY, and a minimal cookie footprint (no third-party tracking cookies)
• Open-source codebase that anyone can audit

For a full description of our long-term architectural commitments (air-gapped sequencing workstation, witnessed cryptographic destruction of working drives, offline customer key handoff), see our whitepaper.

Important notes

• No bug bounty program. We do not currently pay monetary rewards. We are happy to credit researchers publicly for valid reports, with their permission.
• No automated scanning. Please do not run automated vulnerability scanners against our production systems without prior coordination. Contact us first if you want to perform extensive testing.
• Responsible disclosure. We ask that you give us at least 90 days to address a reported issue before any public disclosure.

Contact

For security reports: security@privdna.com.

For privacy questions, see our Privacy Policy.