Tenant isolation and least privilege
Authenticated access is shop- and role-scoped. Broader two-tenant proof, route classification, and least-privilege evidence continue under the security rebuild.
Security and trust
VehicleDesk is being hardened around tenant isolation, provider verification, least privilege, human approval, recoverability, and evidence. Status labels distinguish implemented controls from work in progress, planned work, and provider-dependent behavior.
Current posture
This page intentionally avoids certification language and sensitive architecture detail. The implementation traceability record remains the engineering authority.
Authenticated access is shop- and role-scoped. Broader two-tenant proof, route classification, and least-privilege evidence continue under the security rebuild.
Closed registration is the production default. Revocable sessions, CSRF classification, stronger login controls, and MFA direction are explicit follow-on work.
TLS is required in transit. Provider credentials are encrypted server-side; backup and key-rotation evidence is being expanded.
Provider secrets stay server-side, encrypted, destination-bound, absent from browser bundles, and tracked through rotation/disconnect procedures.
The plan requires strict origin exposure, WAF/rate controls, bot and DDoS defenses, CSP, HSTS after audit, and monitored edge evidence.
Secret scanning, dependency checks, route-auth checks, build gates, file budgets, and security baselines run locally and in CI where configured.
AI receives minimized context, treats provider/customer text as untrusted, has no autonomous customer-send authority, and cannot replace deterministic eligibility controls.
Security logging uses allowlisted fields and server request IDs. Central alerting, incident exercises, and production response ownership still require operational evidence.
Independent encrypted backups, restore drills, recovery objectives, and tamper-aware evidence must be proven before this control is described as operational.
Data minimization, retention, export, deletion, subprocessor, and offboarding expectations are being formalized and linked to product and legal review.
Communication and AI boundary
Consent, suppression, shop/channel feature gates, provider readiness, approval, queue state, and delivery evidence remain deterministic application decisions outside the model.
Operational evidence
Deployment configuration, owner assignment, provider transition, alerting, recovery drills, and production proof are required before a local implementation is marked complete.
Report a vulnerability
Do not include customer data or active secrets in an initial report. The published security contact provides scope, response expectations, and safe-harbor boundaries.
Vulnerability disclosure
Report only VehicleDesk-owned surfaces and accounts or data you are authorized to test. Stop immediately after any accidental customer-data, credential, or cross-tenant exposure. The monitored mailbox and qualified legal review remain production launch requirements.
In scope
Public VehicleDesk properties and the authenticated CRM/API are in scope when you use only your own authorized account and data. Tenant isolation, authentication, authorization, export, portal, booking, webhook, integration, messaging, and AI-boundary defects are useful reports.
Out of scope
Do not test Shopmonkey, Google, OpenAI, Twilio, Resend, Cloudflare, Railway, GitHub, customer sites, or other third parties. No denial of service, credential attacks, social engineering, spam, persistence, destructive changes, data exfiltration, or high-volume scanning.
Good-faith safe harbor
VehicleDesk will not recommend or pursue legal action solely for good-faith research that follows the published scope, uses authorized accounts/data, avoids harm, stops after demonstrating the issue, and is reported promptly. This does not authorize unlawful activity or testing third-party systems.
Response targets
Targets are acknowledgement within three staffed business days, initial triage within seven, and an update at least every 14 staffed business days while an accepted report remains open. These are coordination targets, not a payment or remediation-time guarantee.
How to report
Email security@vehicledesk.io with the affected surface, impact, minimal steps using your own data, and UTC references. Do not email credentials, active secrets, raw customer data, exploit archives, or provider payloads. Ask for a secure transfer method when sensitive evidence is necessary.
Practical workflow review
Bring one real workflow. We will show what VehicleDesk can support today, what remains controlled, and what setup would require.