UDR · HC-01 · Security · Policy
Housecarl AuthZ
AuthZ for the hardest problems.
 Operational
Private beta · Q2 2026
housecarl.cloud
Overview Documentation Pricing News Security Open console →
Security policy

Security Policy

Overview

Upside Down Research takes security seriously. This page outlines our security practices, how to report vulnerabilities, and our security philosophy.

Security Philosophy

Our platform is built with security as a foundational principle:

  • Defense in Depth — Multiple security layers protect against threats
  • Least Privilege — Components have minimum necessary permissions
  • Zero Trust — Every request is verified and authenticated
  • Secure by Default — Safe defaults with explicit opt-out required

Reporting a Vulnerability

We appreciate responsible disclosure of security vulnerabilities.

How to Report

Please do not open public issues for security vulnerabilities.

Instead, report security issues via email to:

support@upside-down-research.com

What to Include

When reporting a vulnerability, please include:

  1. Description — Clear explanation of the vulnerability
  2. Impact — Potential security impact and affected components
  3. Reproduction Steps — Detailed steps to reproduce the issue
  4. Environment — Version, configuration, deployment context
  5. Suggested Fix — If you have recommendations (optional)

Response Timeline

  • Initial Response: within 48 hours of report submission
  • Status Update: weekly updates on investigation progress
  • Resolution: timeline depends on severity and complexity

Disclosure Policy

We follow coordinated disclosure:

  1. Vulnerability reported privately
  2. We investigate and develop a fix
  3. Fix is tested and deployed
  4. Security advisory published after fix is available
  5. Reporter credited (if desired)

Security Practices

Authentication & Authorization

  • Token-based authentication with configurable expiration
  • Policy-based authorization with fine-grained access control
  • Multi-tenant isolation enforced at the data layer
  • Modern memory-hard password hashing for credential storage

Data Protection

  • TLS-only transport in production
  • Secrets injected at runtime; never stored in source control
  • Production secrets managed by the deployment platform
  • Input validation at service boundaries
  • Parameterized database queries — no string concatenation

Application Hardening

  • CSRF protection on state-changing form submissions
  • Standard security response headers
  • Audit logging for security-relevant events

OWASP Top 10 Posture

We actively address the OWASP Top 10:

  1. Injection — Parameterized queries, input validation
  2. Broken Authentication — Token-based sessions, modern password hashing
  3. Sensitive Data Exposure — TLS, secret redaction in logs
  4. XML External Entities — Not applicable (no XML parsing)
  5. Broken Access Control — Authorization-first design
  6. Security Misconfiguration — Secure defaults, explicit configuration
  7. XSS — Output encoding, Content-Security-Policy
  8. Insecure Deserialization — Memory-safe language, validated inputs
  9. Vulnerable Components — Memory-safe runtime, dependency scanning
  10. Insufficient Logging & Monitoring — Audit logs, observability

Security Testing

  • Test-driven development with security cases authored alongside features
  • Static analysis enforced in continuous integration
  • Independent security review before security-sensitive changes are merged
  • Regression tests for previously fixed security issues

Security Roadmap

Planned security enhancements:

  • CI-integrated dependency vulnerability scanning
  • Per-tenant, per-endpoint rate limiting across all services
  • Regular third-party security audits
  • Penetration testing before production launch
  • Bug bounty program (post-launch)
  • Security compliance certifications (SOC 2, ISO 27001)

Supported Versions

Pre-release versions are not supported and will not receive security fixes. Security support begins with the 1.0 release.

VersionSupportedStatus
Pre-1.xNoPre-release — no security support
1.xYesSupported once released

Once 1.0 ships, security updates will be provided for:

  • Current stable release
  • Previous minor version (for 90 days after a new release)

Security Updates

Security fixes are released as:

  1. Critical — Immediate patch release, advisory published
  2. High — Patch within 7 days
  3. Medium — Patch in next minor release
  4. Low — Addressed in regular release cycle

Contact

  • Security Email: support@upside-down-research.com
  • General Contact: hello@upside-down-research.com
  • Website: https://upside-down-research.com

Acknowledgments

We thank security researchers who responsibly disclose vulnerabilities. Contributors will be acknowledged in security advisories (unless anonymity is requested).

Last updated: 2026-05-07. This security policy is subject to change.