Security
How we secure Vela — both the open-source software and the hosted service. Short version: defence in depth, responsible disclosure welcome, and a real pager.
Open-source software
Supply chain
Dependencies pinned in composer.lock; reviewed on every update. Dependabot + monthly audit for CVEs.
Code review
Every PR reviewed before merge. Security-sensitive changes (auth, routing, image processing) require a second reviewer and a note in the PR description.
Disclosure
Found a security issue? Email [email protected]. Do not open a public GitHub issue. We aim to acknowledge within 24 hours and patch critical issues within 72.
Vela Hosted
Network
TLS 1.2+ everywhere. HSTS preloaded. HTTP/3 + QUIC. All internal traffic between services encrypted.
Data
Databases encrypted at rest. Backups encrypted at rest. Access gated by SSO + MFA; all admin access logged.
Isolation
Each site runs in an isolated environment. No shared filesystem, no shared database credentials. Upload sandboxing with mime-type + magic-byte validation.
Incident response
On-call rotation 24/7. Post-mortems published for customer-impacting incidents. Customers notified within 24 hours of any confirmed data breach.
Responsible disclosure
We recognise and thank researchers who report in good faith. We don't offer paid bounties yet — that's coming with the v1.0 hosted launch.
Contact
[email protected] · PGP key available on request.