Skip to main content
WarisanNusantara

Trust ยท Security

Security disclosure

We take security seriously. Here's how to report a vulnerability โ€” and what we promise in return.

Report a vulnerability

Found a security issue? Email security@warisannusantara.com with a description, steps to reproduce, and (if possible) a proof-of-concept.

We respond within 24 hours. We aim to fix critical issues within 7 days.

What we promise

  • โœ“Acknowledgement within 24 hours. We read every report personally.
  • โœ“No legal action. We won't sue you or report you to law enforcement for good-faith research, in line with our Responsible Disclosure Policy.
  • โœ“Credit (if you want it). We'll add you to our Hall of Fame when you give us permission.
  • โœ“Regular updates. We'll keep you posted on the fix progress.
  • โœ“Coordinated disclosure. We'll work with you on a reasonable disclosure timeline.

Our security practices

Transport: All traffic over TLS 1.3 with HSTS. HPKP for known good certificates.

Storage: AES-256 encryption at rest for all persistent data. PBKDF2 with 100k rounds for password hashing (via Appwrite).

Authentication: JWT with HS256, httpOnly secure cookies, 7-day session expiry, automatic refresh.

Authorization: Role-based access control. Per-resource ownership for user-generated content.

Backups: Daily automated backups, 90-day retention, encrypted with a separate key from production.

Monitoring: 24/7 uptime monitoring, anomaly detection, and incident response.

In scope

  • โ€ข warisannusantara.com and all subdomains
  • โ€ข The Warisan Nusantara mobile app (when released)
  • โ€ข Our Appwrite, PocketBase, and OpenRouter integrations

Out of scope

  • โ€ข Third-party services (we'll forward, but the issue is with them)
  • โ€ข Social engineering attacks against our team
  • โ€ข Physical attacks against our infrastructure
  • โ€ข Denial of service attacks
  • โ€ข Rate limiting or brute force (we have protections)
  • โ€ข Recently disclosed 0days without a working PoC

Bug bounty

We're working on a formal bug bounty program. In the meantime, we offer:

  • โ€ข Public credit (Hall of Fame) โ€” your choice of name or anonymous
  • โ€ข A 1-year Pro subscription
  • โ€ข For critical findings: $100-$500 cash bounty (case by case)

Paid bounties are reserved for findings that demonstrate real exploitability and a serious business impact.