StackPilot App
Legal

Security & Vulnerability Disclosure.

Last updated · May 17, 2026 Plain English where possible DPDPA · GDPR · CCPA compliant

Hayanlabs takes the security of StackPilot App, our Site, and our customers' data seriously. This page summarises our security posture and explains how to report a vulnerability responsibly.

Security Posture (Summary)

  • Local execution by design. StackPilot App is a desktop application. SSH keys, server credentials, command history, and deployment data stay on your machine and never traverse Hayanlabs servers.
  • Transport security. TLS 1.2+ for all traffic between the desktop app, the Site, and our backend.
  • Authentication. Account passwords are stored using a modern adaptive hashing algorithm. We support strong password requirements and are working towards two-factor authentication.
  • Encryption at rest. Payment-related records and account data are encrypted at rest by our hosting provider.
  • Access control. Role-based access to production systems; access is limited to personnel with a business need and logged.
  • Backups. Daily off-site backups of the application database, with periodic restore testing.
  • Supplier due diligence. See our Sub-processors page for the list of third parties we rely on.
  • Reasonable security practices. Our practices are aligned with Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and informed by ISO/IEC 27001 controls.

Responsible Vulnerability Disclosure

If you believe you have found a security vulnerability in StackPilot App, the Site, or any of our infrastructure, please report it to us before disclosing it publicly.

How to report

  • Email security@stackpilotapp.com (forwards to contact@stackpilotapp.com until a dedicated mailbox is provisioned).
  • Include: a description of the issue, steps to reproduce (proof of concept), the affected URL or component, your assessment of impact, and any mitigation suggestions.
  • If the report contains sensitive information, request PGP and we will arrange an encrypted channel.

Our commitment

  • We will acknowledge receipt within 3 business days.
  • We will share an initial triage assessment within 10 business days.
  • We will keep you reasonably informed of remediation progress.
  • We will not pursue legal action against good-faith researchers who comply with this policy.

Out of scope / not eligible

  • Findings against third-party services we do not control (e.g., Vercel, Razorpay, PayPal, Cloudflare) - report them directly to those vendors.
  • Reports based solely on automated scanner output with no exploit demonstration.
  • Social-engineering, phishing, or physical attacks against Hayanlabs personnel.
  • Denial-of-service / rate-limit testing.
  • Findings that require highly improbable user interaction or a fully compromised endpoint.

Bug Bounty

Hayanlabs does not currently operate a paid bug-bounty programme. We will, however, publicly credit researchers who report a valid, impactful vulnerability under this policy, with their permission, and may offer a token of thanks at our discretion.

Incident Communications

If a security incident affects you, we will notify you in accordance with our Privacy Policy and applicable law, including the 72-hour breach-notification timeline under GDPR where it applies.

Contact

Vulnerability reports: security@stackpilotapp.com
General: contact@stackpilotapp.com