Security

How we protect your data and what to do if you find a vulnerability.

Authentication

Authentication is handled by Clerk, an industry-standard identity platform. Corbit never stores passwords directly — all credential management is delegated to Clerk, which supports multi-factor authentication and follows security best practices for session token handling.

Data access controls

Our database uses row-level security (RLS) policies enforced at the database layer via Supabase. This means users can only read or write data they are authorized to access, even if application-level checks are bypassed. API routes additionally verify JWT tokens on every authenticated request.

Data in transit

All communication between your browser and Corbit servers is encrypted via HTTPS/TLS. We do not transmit sensitive user data over unencrypted channels.

Infrastructure

Corbit is hosted on Vercel (frontend) and Render (backend API). Both platforms provide managed infrastructure with automatic TLS, DDoS protection, and environment secret management. Database credentials and API keys are stored as environment variables, never in source code.

Reporting a vulnerability

If you discover a security vulnerability, please report it responsibly by emailing us at pockyleeeee@gmail.com. Please do not disclose the issue publicly until we have had a chance to investigate and address it. We aim to respond to security reports within 48 hours.

When reporting, please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce
  • Any relevant URLs, screenshots, or proof of concept

Breach notification

If we become aware of a security breach that affects your personal data, we will notify affected users as required by applicable law — typically within 72 hours of discovery. Notification will be sent to the email address on your account and, where required, to relevant regulatory authorities.

Scope

In-scope targets include the Corbit web application at askcorbit.com and its API. Out of scope: social engineering attacks, physical security, and third-party services (Clerk, Supabase, Vercel, Railway).