Last Updated: February 1, 2026
Version: 1.0

Indexa takes security seriously. We are committed to protecting our users, their data, and our infrastructure. This document outlines our security practices, vulnerability disclosure process, and how you can help us maintain a secure platform.

If you discover a security vulnerability in Indexa, please report it responsibly.

Email: security@indexa.site

Include in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any proof-of-concept code (if applicable)
• Your contact information for follow-up

• Do not publicly disclose the vulnerability before we've addressed it
• Do not access or modify other users' data
• Do not perform actions that could harm service availability
• Do not use automated scanners without permission
• Do not exploit the vulnerability beyond proof-of-concept

In Scope:

• indexa.site and all subdomains
• Indexa API endpoints
• Authentication system (OwlGuard)
• Search functionality
• Dufus AI interfaces
• Browser extension

Out of Scope:

• Third-party services and integrations
• Social engineering attacks
• Physical security attacks
• Denial of service (DoS/DDoS) attacks
• Spam or content abuse
• Issues requiring physical access

High Severity:

• Remote code execution
• SQL injection
• Authentication bypass
• Privilege escalation
• Sensitive data exposure
• Cross-site scripting (XSS) with significant impact

Medium Severity:

• Cross-site request forgery (CSRF)
• Information disclosure
• Insecure direct object references
• Session management issues
• API authentication weaknesses

Low Severity:

• Missing security headers
• Verbose error messages
• Minor information leakage
• Configuration issues

Encryption in Transit:

• TLS 1.3 for all connections
• HTTPS enforced across all endpoints
• Perfect Forward Secrecy enabled
• HSTS with preloading

Encryption at Rest:

• Database encryption for sensitive data
• Secure key management practices
• Encrypted backups

Password Security:

• bcrypt hashing with salt
• Minimum complexity requirements
• Secure password reset flow
• No plaintext storage

Network Security:

• DDoS protection via Cloudflare
• Web Application Firewall (WAF)
• Rate limiting on all endpoints
• IP-based access controls for admin functions

Server Hardening:

• Regular security updates
• Minimal attack surface
• Principle of least privilege
• Secure configuration baselines

Monitoring:

• Real-time intrusion detection
• Log aggregation and analysis
• Anomaly detection
• Incident alerting

Development Practices:

• Security code reviews
• Static analysis tools
• Dependency vulnerability scanning
• Regular penetration testing

Authentication & Authorization:

• Session timeout policies
• CSRF protection
• Input validation and sanitization
• Output encoding

API Security:

• Rate limiting per API key
• Request validation
• Authentication required for sensitive endpoints
• Audit logging

We collect only what's necessary:

• Search queries are not stored permanently
• No behavioral tracking
• No cross-site tracking
• Minimal personal data retention

• Role-based access control (RBAC)
• Multi-factor authentication for admin access
• Regular access reviews
• Audit trails for sensitive operations

In the event of a security incident:

1. Identification - Detect and classify the incident
2. Containment - Limit damage and prevent spread
3. Eradication - Remove the threat
4. Recovery - Restore normal operations
5. Lessons Learned - Post-incident review and improvements

If a data breach occurs affecting user data:

• Users notified within 72 hours
• Regulatory authorities notified as required
• Public disclosure when appropriate
• Remediation steps communicated

Recommendations:

• Use a strong, unique password
• Enable two-factor authentication (when available)
• Review account activity regularly
• Log out from shared devices
• Keep your email secure

OwlGuard Features:

• Secure session management
• Login notifications (coming soon)
• Session history (coming soon)
• Account recovery options

Recommendations:

• Keep your browser updated
• Use HTTPS everywhere
• Be cautious of phishing attempts
• Verify you're on indexa.site
• Review browser extension permissions

For Developers:

• Keep API keys confidential
• Use environment variables for keys
• Rotate keys periodically
• Monitor API usage for anomalies
• Use HTTPS for all API calls

Indexa security practices align with:

• OWASP Top 10
• CIS Controls
• NIST Cybersecurity Framework
• SOC 2 principles (Type II planned)

Compliant with:

• GDPR (European Union)
• CCPA (California)
• PIPEDA (Canada)
• DPDP Act (India)

See Privacy Policy for details.

Security Announcements:

• GitHub Security Advisories
• Email notifications (for registered users)
• Status page updates

Subscribe to updates:

• Watch the repository for security advisories
• Follow @indexa_security (coming soon)
• Check status.indexa.site

We recognize security researchers who help keep Indexa secure:

Hall of Fame coming soon - be the first!

To be listed:

• Report a valid vulnerability
• Follow responsible disclosure
• Allow us to fix before public disclosure
• Opt-in to public recognition

• Regular dependency audits
• Automated vulnerability scanning
• Prompt patching of known vulnerabilities
• Minimal dependency footprint

Our security-vetted partners:

• Cloudflare (CDN/DDoS protection)
• GitHub (Source code hosting)

All partners meet our security and privacy standards.

Security Team: security@indexa.site
PGP Key: [Coming soon]
Response Time: Within 24 hours

For non-security issues:

• General support: support@indexa.site
• Privacy questions: privacy@indexa.site
• Legal matters: legal@indexa.site

Back to Documentation • Privacy Policy • FAQ

_{© 2026 Indexa Inc. • Security is everyone's responsibility}