Skip to content
vaultocean

// security

Built to be trusted, not just told to be

This community is run by people who break things for a living, so the platform is held to that standard. No system is unbreakable — but here is what we do, plainly.

Strict Content-Security-Policy

No third-party scripts; frame-ancestors none; object-src none.

Hardened headers

HSTS preload, X-Content-Type-Options, COOP/CORP, restrictive Permissions-Policy.

Server-side authorization

Flag checks and privileged actions never trust the client.

Constant-time comparisons

Flag verification resists timing oracles; rate-limited against brute force.

No passwords stored

Identity is delegated to GitHub OAuth via Supabase.

Open source

The platform and its tools are auditable. Trust is earned by reading the code.

// responsible disclosure

Found something? Tell us first.

If you find a vulnerability in Vault Ocean or any tool in the arsenal, report it privately before disclosing publicly. We will acknowledge, fix, and credit you — and the report itself earns fathoms. A formal policy and security.txt land alongside public launch.

security@vaultocean.com