Security
Security & responsible disclosure
How Buildfyio secures your workloads, and how to report a vulnerability.
Responsible disclosure
If you believe you've found a security issue in Buildfyio, please email security@buildfyio.com before disclosing it publicly. We'll acknowledge within one business day and aim to triage within three.
Safe harbor: as long as you act in good faith, don't exfiltrate customer data, and don't degrade our service or others', we won't pursue legal action.
Scope
- buildfyio.com and every subdomain we host.
- The public API at /v1 (documented at /v1/docs).
- The buildfyio-cli and buildfyio-agent binaries we distribute.
Out of scope: customer applications deployed on our platform (contact the customer directly), volumetric DoS, missing security headers that don't lead to a concrete vulnerability, findings from automated scanners without an exploitable POC.
What we do
- Isolation: every user pod runs under PSA restricted, drops ALL Linux capabilities, and lives behind a per-tenant NetworkPolicy that denies cross-tenant traffic.
- Encryption: env vars, API tokens, MFA secrets, and provider tokens are AES-256-GCM encrypted at rest with versioned keys.
- Auth: passkeys + TOTP MFA, rotating refresh tokens (jti), per-org SSO/SAML and IP allowlists.
- Supply chain: every user image is scanned with Trivy for CVEs + a SPDX SBOM; images with critical CVEs never deploy. Platform images are signed with cosign and gated by admission.
- Egress: user pods can't reach cloud metadata IPs or outbound SMTP on port 25 by default.
Contact
Prefer PGP? Grab the public key at /security/pgp-key.txt.
Hall of fame
Researchers who help us fix a real security issue get named here (with permission).
- (You could be first.)