Security
How we protect your data — and what to do if you find a vulnerability.
Email [email protected] — never open a public issue.
We acknowledge within 48 hours and provide a mitigation timeline within 7 days.
Reporting
Send to [email protected] with:
- A clear description of the vulnerability.
- Steps to reproduce.
- Potential impact.
- Your contact info (for follow-up).
We'll acknowledge within 48 hours and provide a mitigation timeline within 7 days.
Coordinated disclosure: please hold public disclosure for up to 90 days from acknowledgement so we can ship a fix. We'll credit you in the advisory unless you prefer to remain anonymous.
Cryptography
- TLS 1.2+ mandatory for all external connections.
- Passwords: bcrypt, cost factor 12.
- JWTs: HS256 with 256-bit secrets, rotated every 90 days.
- API keys: SHA-256 hashed at rest. Raw key shown once to the user.
- Refresh tokens: 30-day TTL with rotation + revocation tracking.
- APK integrity: SHA-256 verified end-to-end.
- Pairing IDs: 48-bit cryptographically random (crypto.randomBytes).
- Webhook payloads: HMAC-SHA256 signed.
Threat model
In scope
- DroidFleet server (Node/TypeScript)
- Android agent (Kotlin)
- Web UI
- Electron desktop wrapper
- WebSocket relay
Assumptions
- The server runs in a trusted environment (your laptop, your VPS).
- The phone agent runs on a device the user owns. We don't defend against a malicious phone agent impersonating a legitimate one — use the room-code + JWT pairing flow.
- The relay is hostile — it can see traffic and might attempt replay/forward attacks. Both ends apply cryptographic checks on incoming messages.
Out of scope
- Physical access to the host machine.
- Compromised Android OS (rooted phone, malicious firmware).
- Side-channel attacks on phone hardware.
- Your WhatsApp/SMS/email provider security.
Defenses we ship
| Threat | Defense |
|---|---|
| Brute-force login | bcrypt + per-IP rate limit |
| Token theft | Refresh-token rotation; reuse of revoked token logs out all sessions |
| API key leak | Hashed storage; revocation in one click |
| XSS | Strict CSP, no inline event handlers, escape-on-render |
| CSRF | SameSite cookies + Bearer tokens preferred for state-changing calls |
| Clickjacking | X-Frame-Options: DENY + frame-ancestors 'none' |
| MITM | HSTS preload + TLS 1.2+ enforced |
| Webhook spoofing | HMAC-SHA256 signature on every payload |
| SQL injection | Prisma ORM with parameterized queries throughout |
| Stolen DB dump | No plaintext secrets stored; passwords + API keys are hashes |
Operational security
- Least-privilege IAM + MFA for every employee.
- Production secrets stored in encrypted environment, never in git.
- Weekly Snyk vulnerability scans on dependencies.
- CI runs on every PR — type-check, tests, container build.
- Affected users notified within 72 hours of a confirmed breach (GDPR Art. 33).
Bug bounty
We don't run a formal monetary bounty yet. For confirmed non-trivial findings we send a swag pack and credit you in the advisory. We'll add cash bounties when our customer base warrants it.
Compliance roadmap
- ✅ GDPR — DPA available on request.
- ✅ CCPA — full user-rights flow exposed in account settings.
- ✅ Israeli Privacy Protection Law 5741-1981 — primary jurisdiction.
- 🟡 SOC 2 Type II — Q4 2026 target for Enterprise customers.
- 🟡 ISO 27001 — under evaluation.
PGP key
For sensitive disclosure, fetch our PGP key:
curl https://droidfleet.dev/.well-known/pgp.asc
Fingerprint: (published with first signed advisory)