VIEWPORT
About

Security policy

Coordinated vulnerability disclosure, our response SLAs, and what we publish.

Reporting a vulnerability

Email security@getviewport.com. PGP key on request.

What to include:

  • Description of the vulnerability.
  • Reproduction steps (URL or code snippets).
  • Impact assessment.
  • Your contact info and whether you'd like public credit.

What to expect:

  • Acknowledgement within 24 hours during business days (US Eastern).
  • Initial assessment and severity within 5 business days.
  • Patch plan within 10 business days for critical, 30 days for high, 90 days for medium / low.
  • Public disclosure coordinated with you. Default 90 days; we'll request extensions if needed and agree on a timeline.

We do not currently run a bug bounty. We pay for critical / high-severity reports on a case-by-case basis and always with explicit credit if you want it.

Scope

In scope:

  • getviewport.com, app.getviewport.com, api.getviewport.com, relay.getviewport.com.
  • The @viewportai/daemon npm package.
  • The ghcr.io/viewportai/relay Docker image.
  • Public mobile app (when shipped).

Out of scope:

  • Third-party services (WorkOS, Resend, Stripe). Report directly to them.
  • Social engineering of Viewport staff.
  • Physical security of Viewport offices.
  • DDoS or volumetric attacks.

What we publish

  • Security advisories: published at github.com/viewportai/viewport/security/advisories. Subscribe to releases for alerts.
  • CVE assignments: for upstream packages we maintain or fork.
  • Postmortems: for any security incident with customer impact. Within 14 days of resolution.

What we don't publish

  • Active investigations.
  • Reports we received with a private/embargoed flag.
  • Penetration test reports (available under NDA to enterprise customers).

Customer-facing security artifacts

For enterprise customers:

  • Latest SOC 2 Type I report (available now, NDA).
  • SOC 2 Type II report (in audit window, expected Q4).
  • ISO 27001 attestation (planned).
  • Penetration test reports (annual; available under NDA).
  • DPA / data processing terms.

Email security@getviewport.com to request.

Operational security

  • MFA enforced on all Viewport-staff accounts.
  • Production access is gated through change management and audited.
  • Encryption at rest for the platform database (AES-256, AWS KMS).
  • Encryption in transit for everything that crosses the public internet.
  • Backups encrypted, geo-replicated, retention per data-processing terms.
  • Vendor reviews for any third-party processor that touches customer data.

Threat model (high level)

  • We design against a compromised platform staff member with database read access. The mitigation is: context vault content is ciphertext-only, session transcripts are not persisted.
  • We design against a compromised relay node. The mitigation is: encrypted payloads, no persistence.
  • We design against compromised customer credentials. The mitigation is: per-binding crypto identity, audit log, fast revocation.

We do not (yet) design against:

  • A nation-state adversary with control of the customer's local machine + the network path.
  • A compromised hardware supply chain.

See Concepts: Trust and privacy for the implementation detail.

Contact

  • General security: security@getviewport.com.
  • Sales / compliance questions: hello@getviewport.com.
  • Press: press@getviewport.com.

Roadmap

What we're working on next, what's coming this quarter, and what's deferred.

Contributing

The daemon and relay are open source. Here's how to read, build, and contribute.

On this page

Reporting a vulnerabilityScopeWhat we publishWhat we don't publishCustomer-facing security artifactsOperational securityThreat model (high level)Contact