Security

Security Practices

Citable ESG Orgs. is built with security as a priority. All data is encrypted in transit using TLS. Passwords are hashed using bcrypt. Authentication tokens are stored securely and rotated regularly. We use parameterised queries to prevent SQL injection, and all user inputs are sanitised.

Infrastructure

The platform is hosted on infrastructure with automated backups, DDoS protection, and monitoring. Database access is restricted and audited. We conduct regular dependency audits and keep all packages up to date.

Vulnerability Disclosure Policy

We encourage responsible disclosure of security vulnerabilities. If you discover a vulnerability in Citable ESG Orgs., please report it to us so we can address it promptly.

How to Report

• Email your findings to security@citableesg.com
• Include a detailed description of the vulnerability
• Provide steps to reproduce the issue
• Include screenshots or proof-of-concept code if applicable
• Do not access or modify other users' data
• Do not publicly disclose the vulnerability before we have addressed it

Our Commitment

• We will acknowledge your report within 48 hours
• We will provide an estimated timeline for a fix
• We will notify you when the vulnerability has been resolved
• We will not take legal action against researchers who follow this policy

Scope

This policy covers the Citable ESG Orgs. web application and API. Third-party services (Lemon Squeezy, authentication providers) have their own security policies and should be reported to those providers directly.