Skip to content

Trust center

Security is the product.

EntryBit guards your doors — we hold ourselves to the same standard. Here's exactly how.

Six pillars

Defense in depth, from chip to cloud.

Every layer independently audited and hardened. No single failure compromises the system.

Encryption everywhere

AES-256-GCM at rest, TLS 1.3 in transit, per-tenant key isolation via AWS KMS. Credential templates stored on-device only.

Zero-trust access

SSO, SCIM, MFA enforcement, and least-privilege defaults. No permanent service accounts.

Tamper-evident audit

Hash-chained event log. Every admin action signed and exportable.

Private network

Private VPC, mTLS device fleet, WAF at the edge.

Signed firmware

Every controller firmware update cryptographically signed.

24/7 monitoring

Live SOC, pager rotation, incident response under 15 min.

Responsible disclosure

Found a vulnerability?

We welcome responsible disclosure. Email security@entrybit.net with reproduction steps. The full policy, scope, and safe-harbor terms are below — with attribution in our acknowledgments.

Vulnerability disclosure program

Report a security issue.

If you believe you have found a security vulnerability in EntryBit, please report it through the channel below. Security researchers who follow this policy in good faith are welcome here — the sections that follow describe exactly what is in scope, what is not, how we respond, and the safe-harbor protections you can rely on.

In scope

Research, testing, and vulnerability disclosure is authorized against the following EntryBit-operated assets:

  • entrybit.net — marketing site
  • app.entrybit.net — customer dashboard
  • api.entrybit.net — public REST and webhooks API
  • docs.entrybit.net — developer documentation
  • *.entrybit.net — other subdomains operated by EntryBit
  • Mobile applications published by EntryBit (iOS and Android)
  • Firmware released by EntryBit for controllers you legitimately own or are authorised to test

Out of scope

The following are explicitly excluded from this program. Reports in these categories will be closed without further investigation.

  • Third-party services we use (AWS, Cloudflare, Stripe, analytics vendors) — report directly to the vendor
  • Customer accounts, data or devices you do not own or have not been explicitly authorised to test
  • Denial-of-service attacks (volumetric, application-layer, resource exhaustion)
  • Physical attacks on EntryBit offices, data centres, or customer sites
  • Social engineering of EntryBit employees, contractors, customers, or partners
  • Automated scanner output without a demonstrated exploit path
  • Missing security headers, cipher suite preferences, banner grabbing — unless chained to a concrete exploit
  • Self-XSS, CSRF on no-impact endpoints (logout, etc.), or clickjacking on pages with no sensitive state
  • Email-authentication record suggestions (SPF / DKIM / DMARC) — email security@ directly if you believe one is wrong
  • Rate-limit issues on public read endpoints without demonstrable harm

Safe harbor

If you make a good-faith effort to comply with this policy during your research, EntryBit will:

  • Consider your research to be authorised under the US Computer Fraud and Abuse Act (CFAA), Israeli Computer Law 5755-1995, the UK Computer Misuse Act, and equivalent anti-hacking statutes
  • Consider your research to be exempt from restrictions in our Terms of Service that would interfere with security research
  • Waive DMCA claims against you for circumventing technological measures needed to perform the research
  • Not pursue, support, or refer for prosecution any civil or criminal action against you related to this research
  • Work with you to understand and resolve the issue quickly, and publicly credit you (with your permission) in our acknowledgments

Good-faith research

Good-faith research means you:

  • Play within the scope defined above
  • Do not access, modify, exfiltrate, or retain customer data beyond the minimum needed to demonstrate the vulnerability
  • Do not intentionally exploit a vulnerability beyond what is needed for a proof-of-concept
  • Report the issue to security@entrybit.net promptly after discovery
  • Give us reasonable time to remediate before any public disclosure (see the Disclosure window below)
  • Comply with all other applicable laws, including privacy and data-protection laws

Response time (SLA)

We acknowledge reports within the following targets. Remediation timelines are targets — complex fixes or customer-rollout coordination may extend them; we will communicate ahead of time.

  • Critical (remote code execution, authentication bypass, large-scale data exposure) — acknowledge within 24 hours, target fix within 7 days
  • High (privilege escalation, sensitive-data access for a single tenant, stored XSS with session impact) — acknowledge within 72 hours, target fix within 30 days
  • Medium (limited XSS, CSRF with impact, rate-limit bypass with abuse path) — acknowledge within 7 days, target fix within 90 days
  • Low (information disclosure without practical exploit, best-practice deviations) — acknowledge within 14 days, remediate on a best-effort basis

Coordinated disclosure

We follow a coordinated disclosure model. Our default window is 90 days from the initial report. For complex fixes, customer rollouts, or supply-chain coordination, we may propose an extension with a specific target date. For critical issues under active exploitation, we may request a longer hold; for trivial issues we often publish faster. Early joint publication is welcome when both sides agree.

Preferred report format

A useful report includes:

  • Summary — one line describing the impact
  • Affected asset — URL, feature, version, or build ID
  • Reproduction steps — numbered, explicit, copy-paste-friendly
  • Expected vs. actual behaviour
  • Impact — what could an attacker do with this?
  • Suggested mitigation (optional, appreciated)
  • Your preferred credit name (or request anonymity)

Contact

Email security@entrybit.net. The machine-readable contact is published at /.well-known/security.txt per RFC 9116. Researchers with accepted reports are listed, with consent, in our acknowledgments.

This policy is adapted from the disclose.io Core template (CC0). English is the authoritative language; translations are advisory. This is a vulnerability-disclosure program, not a paid bug-bounty.

Enterprise-grade trust
for every door.

Our security team is happy to walk you through our architecture, runbooks and audit evidence.