Our Commitment
Security is built into Bulbie at every layer — from how we store passwords to how we manage file access. Below is an overview of the controls we have in place.
Encryption in Transit
All traffic between your browser/app and our servers is encrypted using TLS 1.2+. File uploads to Cloudflare R2 are also transmitted over HTTPS.
Secure Authentication
Passwords are hashed with bcrypt. We support OAuth (Google, GitHub) as alternatives. Sessions use secure, HTTP-only cookies with short expiry.
Least Privilege Access
Each project has fine-grained role-based permissions (owner / admin / member / viewer). Users can only access data they have been explicitly granted.
Infrastructure
We run on hardened Linux servers. Database credentials, API keys, and secrets are stored as environment variables — never in source code.
Vulnerability Disclosure
Found a security issue? Please report it responsibly to security@bulbie.app. We aim to triage reports within 72 hours.
Data Isolation
Each user's data is scoped to their account. Project data is only accessible to users who have been explicitly invited with a project permission. Direct messages are only visible to the two participants.
Backups
Database backups run automatically. Backups are encrypted at rest and stored in a separate region. We test restoration procedures regularly.
Dependency Management
We keep third-party dependencies up to date and monitor for known vulnerabilities using automated scanning in our CI pipeline.
Report a Vulnerability
If you discover a security vulnerability please email security@bulbie.app. Please do not disclose vulnerabilities publicly until we've had a chance to investigate and remediate. We appreciate responsible disclosure and will acknowledge you if you wish.