Security

Built for an audience that checks

Our users evaluate security postures for a living. Here is ours, stated plainly, including what we deliberately do not have.

Architecture

Data handling

What we don't claim

No SOC 2 report, no bug bounty program, and no 24/7 security team: this is a small product run by a practitioner, secured by keeping the design boring and the data minimal. We would rather tell you that than imply otherwise with a page of badges.

Vulnerability disclosure

Found something? We want it. Email hello@cisoprep.com (also published at /.well-known/security.txt). You'll get a human reply within two business days, credit if you want it, and no legal theater for good-faith research.