Security Policy

Last updated: May 18, 2026

We take security seriously. If you discover a vulnerability in Authentk, we want to hear from you. We commit to working with you in good faith and will not pursue legal action against researchers who act responsibly under this policy.

How to report

Email your findings to [email protected]. If your report contains sensitive details, please encrypt it using our PGP public key.

Include as much detail as possible: steps to reproduce, potential impact, and any proof-of-concept. We will acknowledge receipt within 3 business days and aim to provide a resolution timeline within 10 business days.

Scope

The following are in scope for security research:

authentk.com and all subdomains
api.authentk.com — the Authentk backend API
The Authentk iOS application
Cryptographic verification and attestation logic

Out of scope

The following are explicitly out of scope. Reports in these categories will not be accepted:

Social engineering attacks against Authentk employees or users
Physical attacks against infrastructure or devices
Denial of service attacks (volumetric or application-layer)
Spam or email phishing
Vulnerabilities in third-party services we depend on (AWS, Apple, Twilio) — report those directly to the vendor
Automated scanner output without demonstrated exploitability
Issues requiring unlikely or highly privileged user interaction
Missing HTTP security headers with no demonstrated impact
Rate limiting issues unless they lead to a meaningful security bypass

Safe harbor

We will not initiate or support any legal action against you for security research conducted in good faith under this policy, including under the Computer Fraud and Abuse Act (CFAA) or similar laws. We consider good-faith research to include: only accessing accounts you own or have explicit permission to test, not exfiltrating, modifying, or deleting user data, not disrupting production services, and disclosing to us before making findings public.

What we ask of you

Do not access, modify, or delete data belonging to other users
Do not disrupt or degrade our services
Do not exploit a vulnerability beyond what is necessary to demonstrate it
Give us reasonable time to address the issue before public disclosure (we ask for 90 days)
Do not share details of the vulnerability with others until it is resolved

Note: We do not currently offer a bug bounty programme. We will publicly acknowledge responsible disclosures on our acknowledgements page with your permission.

Contact

[email protected]
PGP key: authentk.com/pgp-key.txt
Fingerprint: EA90 FBF5 A111 0262 B5CA 6AFF B50A 354C DCDF B393