Legal

Security

Effective: 2026-05-12

Our security commitment

CounterSwarm handles sensitive operational data for critical-site readiness work. We take security seriously and this page reflects the controls, safety boundary, and disclosure process we can truthfully describe today.

Transport security

Expected deployments terminate HTTPS in front of the product and API. Local/demo environments may run without full production transport controls.

Role-based permissions

The product enforces role-aware access controls across org, site, incident, and report flows.

Audit coverage

Sensitive workflow actions are logged, and current work is focused on making report and evidence artifacts more durable and reviewable.

Identity provider boundary

Application passwords are not stored by CounterSwarm. Auth is delegated to an external identity provider in the current stack.

Safety verification

The repo runs a red-team vocabulary gate and explicit defensive-only boundary checks before release claims.

Current truth

This project remains private and under active hardening. We do not claim full production deployment readiness on this page.

Infrastructure security

  • Hosting: The current repo supports local and pre-production operation. Final hosting posture is still being hardened and should be treated as environment-dependent.
  • Database: Organizational data is modeled in an isolated application database with role-aware access patterns.
  • Secrets management: Secrets are expected to come from environment or platform-managed secret stores, not source control.
  • Access controls: Cross-origin access is restricted by configured origin allow-lists rather than an open policy.
  • Rate limiting: Abuse controls are an active hardening area and should not be assumed complete unless a deployment explicitly verifies them.

Responsible disclosure

We operate a responsible disclosure programme. If you discover a security vulnerability in CounterSwarm, please report it to us before public disclosure so we can address it promptly.

Report a vulnerability

Email: security@counterswarm.io

Please include: affected URL or component, steps to reproduce, potential impact. We aim to acknowledge reports within 2 business days and provide a resolution timeline within 5 business days.

We ask that you:

  • Give us reasonable time to investigate and fix before public disclosure
  • Avoid accessing or modifying other users' data
  • Not perform denial-of-service attacks or disrupt production systems

In return, we commit to not pursue legal action against good-faith security researchers who follow this policy.

Incident response

Incident response and breach-notification commitments should be set in the commercial agreement for any pilot or deployment. This page is not a substitute for customer-specific security or legal terms.