Security

Our Commitment

Security is a first-class concern in every project we deliver. We apply defence-in-depth practices across our development workflow, infrastructure, and client data handling to reduce exposure and respond rapidly to emerging threats.

Secure Development Lifecycle

• All code undergoes peer review before merging to production branches.
• Dependencies are audited regularly using automated scanning tools (e.g., npm audit, Dependabot).
• OWASP Top 10 mitigations are applied as standard across all web applications we build.
• Input validation and output encoding are enforced at every API boundary.

Infrastructure & Data

• All data in transit is encrypted using TLS 1.2 or higher.
• Secrets and API keys are stored in environment variables or dedicated secrets managers — never hardcoded.
• Access to production environments is restricted to authorised personnel via SSH keys and MFA.
• Automated backups are taken daily with point-in-time recovery.

Authentication Standards

For products we build that include authentication, we implement:

• Short-lived JWT access tokens (15 min) with rotating refresh tokens.
• Passwords hashed with bcrypt (cost factor ≥ 12).
• Rate limiting on all authentication endpoints.
• Optional multi-factor authentication for admin-level accounts.

Reporting a Vulnerability

If you discover a security issue in any Verixsoft product or website, please report it responsibly by emailing contact@verixsoft.com with the subject line "Security Disclosure". We will acknowledge receipt within 48 hours and aim to resolve confirmed issues within 14 days.

We ask that you do not publicly disclose the issue until a fix has been released. We do not currently offer a bug bounty programme, but we genuinely appreciate responsible disclosures.