Bugtri
Register

Security

Last Updated: 27 March 2026

Security is fundamental to everything we do at Bugtri. As a platform that handles vulnerability disclosure data on behalf of our customers, we take our responsibility to protect that data seriously. This page outlines the measures we implement to safeguard the platform, your account, and the data processed through our triage pipeline.

1.   Data Sanitisation & Privacy by Design

Before any vulnerability report content is sent to a third-party AI provider for analysis, Bugtri automatically sanitises it by replacing sensitive data (URLs, IP addresses, email addresses, domains, and custom patterns) with safe placeholder tokens. This ensures your real infrastructure details never reach the AI provider.

Tokens are restored only in the final triage summary email delivered to your mailbox. You have full control over which data types are sanitised and can define custom redaction patterns.

2.   Authentication & Access Control

  • Email and password authentication with bcrypt hashing
  • Email verification via double opt-in before account activation
  • CSRF protection on all form submissions and API endpoints
  • Session-based authentication with configurable idle timeouts
  • OAuth 2.0 for mailbox connections (Google Workspace and Microsoft 365) with minimal scope permissions
  • Admin console protected by multi-factor authentication (TOTP)

3.   Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Sensitive stored credentials (OAuth tokens, API keys) are encrypted at rest using AES-256-GCM
  • Passwords are hashed using bcrypt with appropriate cost factors

4.   Infrastructure Security

  • Platform hosted on hardened servers with regular security patching
  • Firewall rules restricting inbound access to necessary ports only
  • Database access restricted to application-level connections only
  • Daily automated backups with encrypted off-site storage
  • Centralised error logging with daily rotation and access controls

5.   Application Security

  • Input validation and output encoding to prevent injection attacks (SQL injection, XSS, command injection)
  • Content Security Policy (CSP) headers to mitigate cross-site scripting
  • Rate limiting on authentication endpoints and API calls
  • Secure HTTP headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
  • Session fixation and hijacking protections

6.   Data Retention & Deletion

You control how long processed vulnerability report data is retained through configurable retention policies in your account settings. Options include:

  • Configurable retention period (7 to 365 days)
  • Option to store or exclude vulnerability details from retained data
  • Automatic purging of expired data
  • Manual purge capability for immediate data deletion

7.   Admin Security

  • Multi-admin support with role-based access control (super admin and admin roles)
  • TOTP-based multi-factor authentication for all admin accounts
  • Active session tracking with the ability to revoke individual or all sessions
  • Emergency lockdown mode to immediately restrict platform access
  • Comprehensive audit logging of administrative actions

8.   Third-Party Integrations

Bugtri integrates with third-party services including AI providers (via your own API key), Google Workspace, Microsoft 365, and Stripe. We follow the principle of least privilege when requesting permissions and regularly review integration security.

We do not store full credit card details. Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified provider.

9.   Incident Response

In the event of a security incident, Bugtri will take immediate steps to contain, investigate, and remediate the issue. Where required by applicable law, we will notify affected users and relevant authorities within the prescribed timeframes.

10.   Responsible Disclosure

If you believe you have discovered a security vulnerability in the Bugtri platform, we encourage you to report it to us responsibly. Please contact with details of the vulnerability.

We ask that you do not publicly disclose the issue until we have had reasonable time to investigate and address it. We are committed to acknowledging and resolving valid reports promptly.

11.   Contact Us

For security-related questions or concerns, please contact us at .