Encryption everywhere
AES-256-GCM at rest, TLS 1.3 in transit, per-tenant key isolation via AWS KMS. Credential templates stored on-device only.
Explore Product
More from EntryBit
Trust center
EntryBit guards your doors — we hold ourselves to the same standard. Here's exactly how.
Six pillars
Every layer independently audited and hardened. No single failure compromises the system.
AES-256-GCM at rest, TLS 1.3 in transit, per-tenant key isolation via AWS KMS. Credential templates stored on-device only.
SSO, SCIM, MFA enforcement, and least-privilege defaults. No permanent service accounts.
Hash-chained event log. Every admin action signed and exportable.
Private VPC, mTLS device fleet, WAF at the edge.
Every controller firmware update cryptographically signed.
Live SOC, pager rotation, incident response under 15 min.
Responsible disclosure
We welcome responsible disclosure. Email security@entrybit.net with reproduction steps. The full policy, scope, and safe-harbor terms are below — with attribution in our acknowledgments.
Vulnerability disclosure program
If you believe you have found a security vulnerability in EntryBit, please report it through the channel below. Security researchers who follow this policy in good faith are welcome here — the sections that follow describe exactly what is in scope, what is not, how we respond, and the safe-harbor protections you can rely on.
Research, testing, and vulnerability disclosure is authorized against the following EntryBit-operated assets:
The following are explicitly excluded from this program. Reports in these categories will be closed without further investigation.
If you make a good-faith effort to comply with this policy during your research, EntryBit will:
Good-faith research means you:
We acknowledge reports within the following targets. Remediation timelines are targets — complex fixes or customer-rollout coordination may extend them; we will communicate ahead of time.
We follow a coordinated disclosure model. Our default window is 90 days from the initial report. For complex fixes, customer rollouts, or supply-chain coordination, we may propose an extension with a specific target date. For critical issues under active exploitation, we may request a longer hold; for trivial issues we often publish faster. Early joint publication is welcome when both sides agree.
A useful report includes:
Email security@entrybit.net. The machine-readable contact is published at /.well-known/security.txt per RFC 9116. Researchers with accepted reports are listed, with consent, in our acknowledgments.
This policy is adapted from the disclose.io Core template (CC0). English is the authoritative language; translations are advisory. This is a vulnerability-disclosure program, not a paid bug-bounty.
Our security team is happy to walk you through our architecture, runbooks and audit evidence.