security

Operational security.
No marketing theater.

What we ship today, what's on the roadmap, and how to report a vulnerability. Everything below is something Metalhost does in production right now unless explicitly labeled "roadmap."

[ posture ]
current posture

How the platform protects you, today.

// 01

Tenant isolation

Each customer tenant runs on isolated compute and network boundaries. East-west traffic between tenants is blocked by default; public IPv4 is default-deny until you open a rule. Workloads cannot reach other customers' resources.

// 02

Encryption in transit

TLS 1.2+ on every customer-facing endpoint, with HSTS on the marketing site and dashboard. Encrypted service-to-service traffic on the control plane.

// 03

Encryption at rest

Customer credentials, session tokens, and OAuth refresh tokens are encrypted at rest. Block storage and snapshot encryption-at-rest is supported and rolling out fleet-wide.

// 04

Identity & access

Email + password with bcrypt-grade hashing; TOTP MFA enrollment; OIDC SSO (GitHub and Google); scoped API keys with prefix display + rotation; session list + revoke; principal lockout for breached accounts.

// 05

Audit logging

Every administrative action — your own and ours — writes to an immutable audit log. Customer-readable for your project via the API; operator-side logs feed our incident response.

// 06

Network defenses

Edge DDoS mitigation on the public site and API. Per-tenant stateful firewall rules you control in the dashboard. Public IPv4 default-deny until you open a rule.

// 07

Internal access

Production access is least-privilege and audit-logged. Just-in-time elevation for debugging. Operator credentials are hardware-backed — no shared static passwords.

// 08

Vulnerability response

Coordinated-disclosure program; 5 business-day acknowledgement, 90-day default disclosure window. Dependency scanning on every build. Security patches ship through our normal release process.

// 09

Sub-processor hygiene

Sub-processors listed publicly in the privacy policy and DPA; 30-day notice before adding new ones. Each is contractually bound to GDPR/CCPA-compliant data-protection terms.

[ roadmap ]
roadmap

What's coming, with honest timelines.

We won't list a feature here unless we believe we can ship it. If a date slips, this page changes; we don't quietly leave stale promises on the internet.

Customer-managed encryption keys (BYOK)

post-launch v1.x

Bring your own KMS / HSM key for disk and snapshot encryption.

SOC 2 Type I report

within 6 months of GA

Auditor selected; control mapping in progress. Type II follows after a 6-month observation period.

Paid bug-bounty program

with SOC 2

Coordinated disclosure runs today; the paid bounty (likely on HackerOne or Intigriti) lights up alongside SOC 2 so we can budget for it.

Hardware security module for payment credentials

post-launch v1.x

Payment processor integration secrets move to HSM-backed storage.

Annual penetration test (third-party)

post-GA

Scoped against the public API + the customer dashboard. Summary report shareable under NDA.

[ disclosure ]
vulnerability disclosure

Found something? Tell us.

We run a coordinated-disclosure program for the Metalhost platform, marketing site, API, dashboard, and CLI. We don't currently pay a bounty (that lights up with SOC 2 — see the roadmap), but we will acknowledge legitimate reports, fix them in priority order, and credit you publicly if you want.

How to report: email security@metalhost.net with a clear write-up. We accept reports in any reasonable form (markdown, PDF, attached PoC). If your finding involves Customer Data or active exploitation, please don't include real customer data in the report itself — describe how to reproduce instead.

What we do: we acknowledge within 5 business days, triage within 10, and ship a fix on a timeline proportional to severity (critical: days, high: 30 days, medium: 90 days). We coordinate public disclosure with you; default disclosure window is 90 days after a fix ships.

Safe harbor: if you act in good faith, follow this policy, don't access or modify data you don't own, and don't disrupt the Service for other customers, we won't pursue legal action against you. Standard researcher protections.

Out of scope: social-engineering attacks against staff; physical attacks against datacenters; DDoS against production; spam or rate- limit findings on the marketing site; third-party services we use (report those to the vendor).

// disclosure.summary accepting
contactsecurity@metalhost.net ack window5 business days triage10 business days disclosure90 days after fix bountycoordinated only (paid program with SOC 2) safe harborgood-faith research protected
PGP key for encrypted reports available on request — reply to the first ack email and we'll send our public key. Policy contact details are also at /.well-known/security.txt.
[ diligence ]
diligence

For procurement teams.

Doing security review before signing? We can answer a standard vendor questionnaire (CAIQ, SIG-Lite, or a custom checklist) and share our DPA, sub- processor list, and architecture description under a mutual NDA. Reach out to security@metalhost.net with what your team needs.

For the data-protection side specifically, the Data Processing Agreement and Privacy Policy cover sub-processors, transfer mechanisms, retention, and your rights. We're the controller for your account data and a processor for whatever your workloads push through the platform.