We treat security like compliance: not a project, an ongoing posture. Hardening, encryption, and isolation by default. Disclosure paid in real money.
TLS 1.3 in transit, AES-256 at rest. KMS-backed keys, per-tenant envelope encryption for PII.
Workloads run in dedicated VPCs, with strict IAM boundaries. Production access is just-in-time and dual-approved.
WebAuthn-first auth for staff and customers. SSO for orgs at any tier.
Static analysis on every PR, dependency scanning on every merge, quarterly third-party pen tests.
24x7 detection on production. Pager rotation, runbooks, and post-mortems shared with affected customers.
Point-in-time recovery, cross-region replicas, restore drills run monthly.
If you find a security issue, please report it to security@bequest.org. Encrypt with our PGP key for sensitive details.
We respond within one business day, fix critical issues within 14, and pay rewards for verified findings on a published scale.
We won't pursue researchers who act in good faith under our disclosure terms. The full policy is on this page.