Security

Security & responsible disclosure

How Buildfyio secures your workloads, and how to report a vulnerability.

Responsible disclosure

If you believe you've found a security issue in Buildfyio, please email security@buildfyio.com before disclosing it publicly. We'll acknowledge within one business day and aim to triage within three.

Safe harbor: as long as you act in good faith, don't exfiltrate customer data, and don't degrade our service or others', we won't pursue legal action.

Scope

  • buildfyio.com and every subdomain we host.
  • The public API at /v1 (documented at /v1/docs).
  • The buildfyio-cli and buildfyio-agent binaries we distribute.

Out of scope: customer applications deployed on our platform (contact the customer directly), volumetric DoS, missing security headers that don't lead to a concrete vulnerability, findings from automated scanners without an exploitable POC.

What we do

  • Isolation: every user pod runs under PSA restricted, drops ALL Linux capabilities, and lives behind a per-tenant NetworkPolicy that denies cross-tenant traffic.
  • Encryption: env vars, API tokens, MFA secrets, and provider tokens are AES-256-GCM encrypted at rest with versioned keys.
  • Auth: passkeys + TOTP MFA, rotating refresh tokens (jti), per-org SSO/SAML and IP allowlists.
  • Supply chain: every user image is scanned with Trivy for CVEs + a SPDX SBOM; images with critical CVEs never deploy. Platform images are signed with cosign and gated by admission.
  • Egress: user pods can't reach cloud metadata IPs or outbound SMTP on port 25 by default.

Contact

Prefer PGP? Grab the public key at /security/pgp-key.txt.

Hall of fame

Researchers who help us fix a real security issue get named here (with permission).

  • (You could be first.)