Security

We build security infrastructure. We hold ourselves to the same standard.

Vulnerability Disclosure Policy

We welcome responsible security research on Hexon Gateway. If you discover a vulnerability, we want to hear about it — and we'll work with you to resolve it.

Reporting

Send your findings to security@hexon.io. Encrypt with our PGP key if the issue is sensitive — available at .well-known/security.txt.

Include:

  • Description of the vulnerability and affected component
  • Steps to reproduce
  • Impact assessment
  • Proof of concept (if available, without causing harm)

Scope

Security research is welcome on all Hexon-operated services and the Hexon Gateway product itself. This includes:

  • Hexon Gateway
  • hexon.io and subdomains
  • registry.hexon.io (container and Helm registry)
  • MCP server and admin CLI interfaces

Out of Scope

  • Denial-of-service attacks
  • Social engineering of employees or customers
  • Physical security testing
  • Unvalidated automated scanner output (SPF/DMARC, TLS cipher lists)
  • Third-party services not under our direct control

Safe Harbor

If you conduct security research in good faith and in accordance with this policy, we will not pursue legal action against you. We consider security research conducted under this policy to be authorized.

Good faith means:

  • Minimize disruption — do not degrade service availability
  • Do not access, modify, or exfiltrate customer data
  • Test only on accounts you own or have explicit permission to test
  • If you encounter customer data, stop and report immediately
  • Give us reasonable time to resolve the issue before public disclosure

Response

We aim to acknowledge reports within 2 business days and provide an initial assessment within 5 business days. Critical vulnerabilities are prioritized immediately.

We do not currently operate a paid bug bounty program. Valid reporters will be credited in our security advisories with their permission.

Product Security

Hexon Gateway is built with a zero-trust architecture where security is structural, not bolted on:

  • Threshold signing — distributed key generation and cooperative signing across cluster nodes
  • End-to-Origin Encryption — application-layer encryption above TLS with WebAuthn channel binding
  • Forward secrecy — X3DH key exchange with post-quantum hybrid (ML-KEM-768)

For technical details, see our product overview.

Contact

For security issues: security@hexon.io

For general inquiries: hello@hexon.io