Security
Security Policy
Last updated: April 30, 2026
Our Security Commitment
BlackTide monitors critical infrastructure for Web3 teams and traditional businesses alike. We take the security of our platform and our customers' data seriously. This page describes our security practices and how to responsibly report vulnerabilities.
Security Measures
Encryption in transit and at rest
All data is encrypted via TLS 1.3. Sensitive fields are encrypted at rest using AES-256.
httpOnly cookies + CSRF protection
Authentication tokens are stored in httpOnly cookies. Every state-changing request validates a CSRF Double Submit Cookie.
Security headers
CSP, X-Frame-Options (DENY), HSTS with preload, Referrer-Policy, and Permissions-Policy are set on all responses.
Access controls
Role-based access control (admin, member, viewer) enforced at the API layer. Principle of least privilege applied to all internal services.
Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in BlackTide, please follow this process:
- Email us at security@blacktide.xyz with a description of the issue and steps to reproduce it.
- Include scope: affected URLs, endpoints, or components; the type of vulnerability (e.g., XSS, IDOR, injection); and potential impact.
- Do not access or modify customer data, disrupt service availability, or publicly disclose the issue before we have had a chance to address it.
- We will acknowledge your report within 48 hours and keep you updated on our progress.
Response Timeline
| Stage | SLA |
|---|---|
| Initial acknowledgement | Within 48 hours |
| Severity assessment | Within 5 business days |
| Patch for critical (CVSS ≥ 9.0) | Within 7 days |
| Patch for high (CVSS 7.0–8.9) | Within 30 days |
| Patch for medium/low | Within 90 days |
Scope
In-scope for responsible disclosure:
- blacktide.xyz and all subdomains (api.blacktide.xyz, status.blacktide.xyz)
- BlackTide web application (dashboard, monitors, alerts, status pages)
- BlackTide REST API
Out of scope:
- Denial of service attacks
- Social engineering of BlackTide employees
- Physical security
- Third-party services used by BlackTide
Recognition
We sincerely appreciate the effort of security researchers who help us keep BlackTide secure. With your permission, we will acknowledge your contribution in our release notes when a fix ships. We currently do not operate a paid bug bounty program, but we are considering one - if you report a critical issue, we will recognize your contribution appropriately.
Contact
- Security reports: security@blacktide.xyz
- General support: support@blacktide.xyz
- Privacy & legal: [email protected]
See also: Privacy Policy · Terms of Service · Contact Us