Security

Security Policy

Last updated: June 2025

Our Commitment

Security is at the core of BoltHash. We protect your software — and we take protecting your data just as seriously. This page outlines our security practices and how to report vulnerabilities.

Infrastructure Security

Encryption

  • All data in transit is encrypted via TLS 1.2+
  • Passwords are hashed with bcrypt (12 salt rounds)
  • JWT tokens are signed with strong secrets and have limited lifetimes
  • License signatures use Ed25519 (256-bit elliptic curve)

Authentication

  • Stateless JWT-based authentication
  • Two-factor authentication (TOTP) available for all accounts
  • Session tokens expire after 3 days
  • Rate limiting on all authentication endpoints

Application Security

  • Input validation and parameterized SQL queries (no SQL injection)
  • Content Security Policy (CSP) headers on all pages
  • Helmet.js security headers enabled
  • Rate limiting on API endpoints per plan tier
  • Audit logging of all administrative actions

Code Protection Security

When you use BoltHash to protect your software:

Vulnerability Disclosure

We appreciate responsible security research. If you discover a vulnerability, please report it to us:

How to Report

  • Email: security@boltopen.com
  • Include a detailed description, steps to reproduce, and potential impact
  • Do not publicly disclose the vulnerability before we have addressed it

Our Response

  • Acknowledgement within 48 hours
  • Assessment and fix timeline within 7 days
  • Credit in our changelog (if desired) after the fix is deployed

Compliance

Enterprise customers can request SOC2 and ISO 27001 compliance reports. Self-hosted deployments allow full control over data sovereignty requirements.

Contact

For security questions, contact security@boltopen.com.