Skip to content
Spire Coast

Spire Coast · Security

How we handle credentials, code, and your data.

Security is mostly habits, written down. Here’s what ours look like, and how to report a vulnerability if you find one.

Last updated · May 2026

§ 01 · Practices

Six things, from boring to interesting.

Credentials

1Password for everything.

Every credential the studio touches lives in 1Password vaults scoped per client. No shared passwords, no spreadsheets of API keys, no credentials in Slack threads. Hardware key + biometric on every account that supports them.

Code

Private repos with branch protection.

All client code lives in private repositories. Branch protection on main: PR review, status checks, and signed commits. No direct pushes to main, no force-pushes, no exceptions for the founder.

Deploys

Reviewed before they ship.

Production deploys run through CI. The pipeline runs tests, type-checks, linting, and security scanning. Every deploy gets a Linear ticket linking the changes and a tagged release in GitHub.

Data

Encryption at rest and in transit.

TLS on every public endpoint. Encrypted-at-rest storage on every backing service we run (Neon, Hetzner-Postgres, R2). Backups encrypted with a key we control, stored off the primary provider.

Access

Principle of least privilege.

Production access is read-only by default. Write access is per-engagement, named, and revoked when the engagement ends. We don’t hold root credentials to your infrastructure unless your SOW specifically asks us to.

Audit

Everything is logged.

Every change to client systems is logged with who, when, and what. Access logs retained for 90 days minimum, longer if your SOW specifies. We can produce an audit trail on request.

§ 02 · Reporting a vulnerability

If you find something, tell us.

We’d rather hear about an issue from a researcher than read about it on Hacker News. Here’s how we handle a report.

  1. Step 01

    Email us, encrypted if you can.

    Send a description of the issue, reproduction steps, and the affected URL or endpoint to security@spirecoast.com. PGP key on request.

  2. Step 02

    We acknowledge in 24 hours.

    You’ll get a real reply, not an autoresponder. We confirm receipt and a rough triage timeline within one business day.

  3. Step 03

    We fix or explain.

    Critical issues get patched within seven days. Non-critical issues get a written timeline and a fix. If we decide an issue isn’t exploitable, we tell you why.

  4. Step 04

    We credit you, if you want.

    Reporters who want public credit get listed on this page after the fix ships. Reporters who want to stay anonymous, stay anonymous.

§ 03 · Out of scope

A short list of what we won’t treat as a vulnerability.

  • Self-XSS or social-engineering attacks against the founder’s personal accounts.

  • Missing security headers on marketing pages where no user data is handled.

  • Vulnerabilities in third-party SaaS we don’t operate — please report those to the vendor.

  • Volumetric or denial-of-service testing.

§ 04 · Contact

Two addresses, both reach the founder.

For vulnerability reports: security@spirecoast.com. For everything else: josh@spirecoast.com.

See our uptime policy