About
Security policy
Coordinated vulnerability disclosure, response targets, and what we publish.
Reporting a vulnerability
Email security@getviewport.com. PGP key on request.
What to include:
- Description of the vulnerability.
- Reproduction steps (URL or code snippets).
- Impact assessment.
- Your contact info and whether you'd like public credit.
What to expect:
- Acknowledgement within 24 hours during business days (US Eastern).
- Initial assessment and severity within 5 business days.
- Patch plan within 10 business days for critical, 30 days for high, 90 days for medium / low.
- Public disclosure coordinated with you. Default 90 days; we'll request extensions if needed and agree on a timeline.
We do not currently run a bug bounty. We pay for critical / high-severity reports on a case-by-case basis and always with explicit credit if you want it.
Scope
In scope:
getviewport.com,app.getviewport.com,api.getviewport.com,relay.getviewport.com.- The
@viewportai/daemonnpm package. - The
ghcr.io/viewportai/relayDocker image. - Public mobile app (when shipped).
Out of scope:
- Third-party services (WorkOS, Resend, Stripe). Report directly to them.
- Social engineering of Viewport staff.
- Physical security of Viewport offices.
- DDoS or volumetric attacks.
What we publish
- Security advisories: published at github.com/viewportai/viewport/security/advisories. Subscribe to releases for alerts.
- CVE assignments: for upstream packages we maintain or fork.
- Postmortems: for any security incident with customer impact. Within 14 days of resolution.
What we don't publish
- Active investigations.
- Reports we received with a
private/embargoedflag.
Customer-facing security artifacts
We are still early. We do not have SOC 2, ISO 27001, or a third-party penetration test report to share yet.
Available now:
- Security architecture notes in these docs.
- Coordinated vulnerability disclosure by email.
- A security questionnaire conversation by email if you are evaluating an alpha deployment.
Email security@getviewport.com with security questions.
Operational security
- MFA enforced on all Viewport-staff accounts.
- Production access is gated through change management and audited.
- Encryption at rest for the hosted platform database through the managed database provider.
- Encryption in transit for everything that crosses the public internet.
- Backups encrypted by the managed infrastructure provider.
- Vendor reviews for third-party processors that touch customer data.
Threat model (high level)
- We design against a compromised platform staff member with database read access. The mitigation is: context vault content is ciphertext-only, session transcripts are not persisted.
- We design against a compromised relay node. The mitigation is: encrypted payloads, no persistence.
- We design against compromised customer credentials. The mitigation is: per-binding crypto identity, audit log, fast revocation.
We do not (yet) design against:
- A nation-state adversary with control of the customer's local machine + the network path.
- A compromised hardware supply chain.
See Concepts: Trust and privacy for the implementation detail.
Contact
- General security:
security@getviewport.com. - Sales / compliance questions:
hello@getviewport.com. - Press:
contact@getviewport.com.