Security Assessment
Pentest & Hardening Summary
This is a sanitised public summary of our most recent independent security assessment. Sensitive technical details, exploit proofs-of-concept, and raw scanner output are not included. The full report is available to qualified prospects and customers under NDA.
Assessment overview
Methodology & scope
Assessment details
- Auditor: Independent third-party security firm (name available under NDA)
- Methodology: OWASP Testing Guide v4.2, PTES, CVSS v3.1 scoring
- Environment: Dedicated assessment environment with synthetic tenant data
- Approach: Grey-box testing (authenticated user + unprivileged accounts)
In scope
- Web application (React SPA)
- REST API (Supabase PostgREST + Edge Functions)
- Network and infrastructure layer
- Authentication and session management
- Multi-tenant access control and RLS
Test coverage
Areas assessed
Web Application
Full authenticated and unauthenticated surface area of the React SPA, including all UI flows and client-side logic.
REST API
All Supabase PostgREST endpoints, Edge Functions, authentication endpoints, and webhook receivers.
Infrastructure
TLS configuration, HTTP headers, certificate chain, DNS configuration, and CDN edge security posture.
Access Control
Multi-tenant isolation, RLS policy coverage, privilege escalation attempts, and session management.
Input Validation
SQL injection, XSS, XXE, SSRF, and injection vectors across all authenticated and unauthenticated endpoints.
Authentication
MFA bypass attempts, session fixation, token leakage, OAuth flow review, and passkey implementation.
Executive summary
Findings by severity
All resolved
All resolved
All resolved
All resolved
All resolved
No critical-severity vulnerabilities were identified. All high-severity and medium-severity findings were remediated prior to the report finalisation date. The auditor confirmed no vulnerabilities remained open at the time of report sign-off.
Sanitised finding summaries
Insufficient rate limiting on authentication endpoint
The password authentication endpoint did not enforce rate limiting under certain request patterns, potentially allowing brute-force attempts against user accounts at elevated request rates.
Remediation: Rate limiting and exponential back-off implemented at the API gateway level. Account lockout policy enforced after 10 failed attempts within 5 minutes.
Verbose error messages in API responses
Certain API error conditions returned stack traces or internal identifiers that could provide reconnaissance value to an attacker.
Remediation: Error handling refactored to return generic messages to clients. Detailed error context is now logged server-side only.
Session tokens not invalidated on password change
Existing active sessions were not invalidated when a user changed their password, allowing an attacker who had obtained an older session token to maintain access.
Remediation: All active sessions for the affected user are now invalidated immediately upon password change or reset.
Missing subresource integrity on one third-party script
A third-party analytics script loaded without Subresource Integrity (SRI) hash, meaning a compromised CDN could deliver a modified script.
Remediation: SRI hash added. Script moved to self-hosted copy. CSP updated to restrict external script sources.
TLS 1.2 CBC cipher suite reachable via fallback
A legacy CBC-mode cipher suite in the TLS 1.2 fallback configuration could be negotiated by older clients, reducing forward secrecy guarantees for those connections.
Remediation: All CBC-mode cipher suites removed from TLS 1.2 configuration. Only ECDHE+AESGCM and CHACHA20 suites accepted.
Security hardening
Hardening checklist
Responsible disclosure
Found a vulnerability?
We welcome responsible disclosure from security researchers. If you discover a vulnerability in the Gatekeeper platform, please report it privately to our security team. We commit to acknowledging your report within 24 hours, providing an initial assessment within 72 hours, and crediting your contribution.
We will not pursue legal action against researchers acting in good faith who do not access customer data beyond what is necessary to demonstrate the vulnerability and who provide us reasonable time to remediate before public disclosure.
Report to
security@bbravegatekeeper.cloudPGP key available on request.
Want the full report?
The complete pentest report including all findings, reproduction steps, scanner output, and auditor certification is available under NDA to qualified prospects and existing customers.