We publish our security posture openly — independent pentest results, CVE history, architecture controls, and SOC 2 progress. No marketing spin. Just the numbers.
Black-box + grey-box pentest across all API endpoints, authentication flows, WebSocket channels, MCP sandbox, and AI pipeline. Every finding fixed before go-live.
The two severity levels that indicate exploitable, immediate-impact vulnerabilities. Zero found across all attack surfaces tested.
ReDoS edge case, WebSocket IP spoofing, and CSP nonce gap. All three patched and re-verified before the report was delivered.
404 response hardening and debug-mode stack trace removal. Fixed same sprint, before any production traffic was affected.
ReDoS — catastrophic backtrack in pattern_loader.py on malformed regex
Fix: Input capped at 512 chars; re2-safe pattern substitution applied
WebSocket XFF bypass — source IP spoofable via forged X-Forwarded-For
Fix: XFF stripped at edge; Cloudflare CF-Connecting-IP enforced as authoritative
CSP nonce not propagated to dynamically-injected inline scripts
Fix: Nonce injected via middleware on all responses; strict-dynamic enforced
Auth routes returning 200 instead of 404 on non-existent resource
Fix: RFC 9110-compliant 404 responses added to 18 auth handlers
Stack trace exposure in 500 responses under debug mode
Fix: Debug mode removed from all production paths; safe_error wrapper enforced
Full NDA-protected pentest report available to enterprise prospects on request. Request report →
Most SaaS security is checkbox compliance — bolted on after the fact. G8KEPR built security into the core architecture from day one.
A breach must defeat every layer independently. Each layer is operated and verified separately — there is no single point of failure.
DDoS mitigation, origin IP hidden, TLS 1.3 terminated at edge
926 OWASP Core Rule Set rules active — blocks SQLi, XSS, RCE, path traversal
Rate limiting, JWT validation, scoped API keys, circuit breakers, MCP sandbox
PostgreSQL row-level security enforces tenant isolation at the DB layer
Verified against SSL Labs, securityheaders.com, and Mozilla Observatory. TLS 1.3 only — TLS 1.1 and 1.2 are disabled. All headers are enforced server-side, not just report-only.
pip-audit + npm audit run as blocking CI gates on every pull request
No critical dependency vulnerabilities found in project lifetime
Next.js CVE-2025-29927 — header bypass. Patched same day, before any production traffic was routed
Automated alerts fire when a new CVE matches a pinned dependency version
pip-audit CI gate
Blocks PRs if any Python dependency has a known CVE. No exceptions without documented justification.
TruffleHog secret scan
Scans every commit for accidentally committed API keys, credentials, and tokens. Blocks merge on hit.
SBOM diff on release
Software Bill of Materials diff is generated and attached to every GitHub release artifact.
All technical controls are implemented and independently verifiable. We are not SOC 2 certified — we say so plainly. External auditor engagement is scheduled H2 2026. We disclose our actual status, not a vaporware claim.
Found a vulnerability? We want to hear from you. Report privately to security@g8kepr.com and we will acknowledge within 24 hours with an initial severity assessment and remediation timeline.
Report privately
Email security@g8kepr.com — description, reproduction steps, and impact. PGP-encrypted reports welcome.
We acknowledge within 24h
You receive confirmation and an initial severity assessment. We commit to a remediation timeline.
We patch and keep you updated
P1/P2 issues are patched before public disclosure. We will keep you in the loop on progress.
Coordinated public disclosure
We work with you on timing and credit for public disclosure after the fix is deployed and verified.
Defined runbooks for every severity level — DR drills run quarterly
We publish our posture because we have nothing to hide. Need the full pentest report, an architecture review session, or a call with our security team — reach out.