Security

We treat security as a code layer, not a badge.

Every engineering decision asks: what happens if this part leaks? This page explains the answer.

End-to-end encryption

TLS 1.3 in transit, AES-256 at rest, Argon2id memory-hard password hashing.

Session management

15-min access JWT + 30-day refresh, instant revocation on logout, TOTP-based 2FA.

IP hashing

HMAC-SHA256 with a daily-rotated salt. We never store raw IPs.

WAF + Bot Management

Cloudflare WAF + Turnstile + per-endpoint rate-limits.

Tight access control

Engineering only touches prod DB through a Bastion with full audit log.

Annual audit

Independent external security audit, summary published on this page.

Responsible Disclosure

Found a vulnerability? Email us before publishing, and we reply within 24 hours.

Email

[email protected]

PGP key available on request.

Scope

  • cd4cd.com
  • api.cd4cd.com
  • *.cd4cd.com

Out of scope

  • DDoS / denial of service
  • Social engineering
  • Third-party sites

Rewards

SeverityReward
Critical2,500 – 10,000 SAR
High500 – 2,500 SAR
Medium100 – 500 SAR
LowHall of fame + merch