Security at BannedPantry

We take the security of our users' data seriously. This page describes our practices and how you can report a vulnerability.

Our security practices

  • Encryption in transit: TLS 1.2+ enforced via HSTS preload.
  • Encryption at rest: All user data encrypted by our database provider (Supabase / Postgres).
  • No card data on our servers: Payments are processed by Stripe (PCI-DSS Level 1). We never see or store your card number.
  • Row-level security: Every user-data table in our database is locked to the authenticated owner.
  • Strict Content Security Policy: Mitigates XSS, clickjacking, and code injection.
  • Rate limiting: Public endpoints throttle abusive traffic.
  • Least-privilege secrets: Production secrets are scoped per environment in Vercel.
  • MFA: Multi-factor authentication enabled on all admin accounts (Vercel, Supabase, Stripe, GitHub, Cloudflare).
  • Dependency monitoring: Automated vulnerability scanning on third-party packages.
  • Backups: Daily automated database backups with point-in-time recovery.

Compliance posture

  • PCI DSS v4.0: SAQ A eligible (Stripe-hosted checkout — no cardholder data touches our systems).
  • OWASP Top 10 (2021): Mitigations in place for A01–A10. See our public threat model.
  • NIST Cybersecurity Framework 2.0: Aligned across Govern, Identify, Protect, Detect, Respond, Recover.
  • CIS Controls v8: Implementing Group 1 baseline.
  • GDPR / CCPA: Privacy and data-deletion rights honored — see our Privacy Policy.

Report a vulnerability

If you believe you have found a security vulnerability, please email security@bannedpantry.com.

Please include: a description of the issue, steps to reproduce, the URL or endpoint affected, and (if relevant) a proof-of-concept. We will acknowledge receipt within 72 hours and aim to provide a remediation timeline within 7 days.

Safe-harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
  • Only interact with their own accounts or test accounts they create.
  • Do not exploit a vulnerability beyond the minimum needed to demonstrate it.
  • Give us a reasonable window to remediate before public disclosure.

Out of scope

  • Social engineering of our staff or contractors.
  • Physical attacks against our facilities or infrastructure.
  • Denial-of-service attacks.
  • Reports from automated scanners without evidence of exploitability.
  • Issues in third-party services (Stripe, Supabase, Vercel) — please report to them directly.

Acknowledgments

Thanks to the researchers who responsibly disclose issues to us. Names of researchers who consent to public credit will be listed here.

Last updated: June 13, 2026. Machine-readable version: /.well-known/security.txt

Sign up free — 5 scans every day →