Security Policy
We practice what we preach. As security professionals, we hold ourselves to the highest standards of data protection and operational security. This page outlines how we secure client data during engagements and protect our own infrastructure.
🔐 Client Data Handling During Testing
Security testing requires access to sensitive systems. Here's how we handle your data responsibly throughout the engagement lifecycle.
Data Collection
During testing, we may collect:
- Application Data: URLs, endpoints, request/response samples, screenshots
- Test Credentials: Temporary accounts you provide for authenticated testing
- Vulnerability Evidence: Proof-of-concept payloads, logs, and exploitation artifacts
- Network Traffic: HTTP requests/responses relevant to discovered vulnerabilities
Data Minimization
We only collect what's necessary.
- No bulk data extraction—we capture only evidence needed for reporting
- Personal data in screenshots is redacted or blurred
- Production databases are never downloaded or cloned
- Testing is designed to be read-only whenever possible
Data Storage
Engagement data is stored securely:
🔒 Encryption
At Rest: AES-256 encryption
In Transit: TLS 1.3
Backups: Encrypted and air-gapped
👥 Access Control
Role-based access (RBAC)
Multi-factor authentication (MFA)
Principle of least privilege
Audit logging enabled
🗄️ Infrastructure
SOC 2 Type II certified data centers
Isolated project environments
Regular security audits
Intrusion detection systems
🗑️ Data Deletion and Retention
Automatic Deletion Timeline
Post-Engagement Data Lifecycle:
- Test Credentials: Deleted immediately after testing completes
- Raw Test Data: Deleted 90 days after report delivery
- Reports: Retained for 2 years (or as agreed in contract)
- Anonymized Metadata: Retained indefinitely for research (vulnerability types, not client-specific)
Early Deletion Requests
Need data deleted sooner? Contact us at hello@redteamkit.com. We'll securely wipe all engagement data within 7 business days and provide written confirmation.
Secure Deletion Process
- Multi-pass overwrite (DoD 5220.22-M standard)
- Cryptographic key destruction for encrypted data
- Backup purging from all systems
- Certificate of destruction available upon request
⚠️ Responsible Disclosure
If we discover critical vulnerabilities during testing that pose immediate risk to user data or system integrity, we follow a structured disclosure process.
Our Disclosure Protocol
- Immediate Notification: We alert you within 4 hours of discovering critical issues (RCE, SQLi with data access, authentication bypass)
- Pause Testing: Testing is paused until critical vulnerabilities are triaged
- Secure Communication: Findings are shared via encrypted channels only
- No Public Disclosure: We never publicly disclose vulnerabilities without your written consent
- Remediation Support: We provide guidance and verify fixes before testing resumes
Zero-Day Discoveries: If we discover a previously unknown vulnerability in third-party software (framework, library, etc.) during your engagement:
- You are notified first and given time to patch/mitigate
- We coordinate with the affected vendor using standard CVE disclosure timelines
- Your identity remains confidential unless you choose to be credited
🛡️ Our Own Security Practices
As a security company, we're a high-value target. Here's how we protect our own infrastructure and operations.
Operational Security
🔑 Identity & Access
- Hardware security keys (YubiKey)
- Password manager enforcement
- Regular access reviews
- Offboarding automation
💻 Workstation Security
- Full-disk encryption (mandatory)
- Endpoint detection and response
- Automatic security updates
- VPN for remote work
🌐 Infrastructure
- Zero-trust architecture
- Network segmentation
- SIEM logging and alerting
- Quarterly penetration tests
Security Audits and Compliance
We undergo regular third-party security assessments:
- Annual Penetration Testing: External security firm tests our infrastructure
- SOC 2 Type II: Annual audit of security controls (in progress)
- OWASP Top 10: Our own web applications are tested against the same standards we use for clients
- Vulnerability Scanning: Weekly automated scans of all public-facing systems
Certifications:
CEH (Certified Ethical Hacker) OSCP (Offensive Security) ISO 27001 (in progress)
🚨 Security Incident Response
Despite our best efforts, no system is 100% secure. If a security incident occurs affecting client data, we have a documented response process.
Incident Response Plan
- Detection & Analysis (0-2 hours): Identify scope, affected data, and root cause
- Containment (2-6 hours): Isolate affected systems, revoke compromised credentials
- Client Notification (within 24 hours): Inform affected clients with known details
- Eradication & Recovery (24-72 hours): Remove threat, restore from clean backups
- Post-Incident Review (within 7 days): Root cause analysis and preventive measures
What You Can Expect
In the event of a security incident affecting your data:
- Immediate Notification: No delays—we tell you as soon as we know
- Transparent Communication: Regular updates until resolution
- Forensic Report: Detailed timeline and root cause analysis
- Remediation Support: Help determining if your systems are affected
- Legal Compliance: Assistance with regulatory notifications if required
🐛 Security Researchers: Report Vulnerabilities
Find a security issue in our systems? We welcome responsible disclosure from the security community.
Scope
In-Scope:
- redteamkit.com (main website)
- app.redteamkit.com (client portal)
- api.redteamkit.com (API endpoints)
Out-of-Scope:
- Social engineering of employees
- Physical security tests
- Denial of service attacks
- Third-party services we use (report directly to them)
How to Report
Email: security@redteamkit.com
PGP Key: Available at /.well-known/security.txt
Include: Vulnerability description, reproduction steps, potential impact, and any proof-of-concept code. We'll respond within 48 hours.
Recognition
We don't currently offer monetary rewards, but we're happy to:
- Credit you on our security researchers page (with your permission)
- Provide a reference letter for your portfolio
- Offer a discount on our services for your own projects
📧 Contact for Security Concerns
Have questions about our security practices? Need to report a concern? We're here to help.
Security Contact
Email: security@redteamkit.com
General Inquiries: hello@redteamkit.com
Website: redteamkit.com
Security reports: <24h response | General inquiries: 24-48h response
Security is not a one-time audit—it's an ongoing commitment. We take it seriously because your trust depends on it.