Skip to content

Security

How MICCI secures customer data + responsible-disclosure policy.

Reporting a vulnerability

If you've found a security issue, email security@hoststack.dev. We respond within one business day. Please give us 90 days to fix before public disclosure.

The machine-readable version of this policy lives at /.well-known/security.txt.

In scope

  • hoststack.dev and its subdomains.
  • The published npm packages @hoststack.dev/sdk, /cli, /mcp.
  • The agent runtime that runs customer containers.
  • Public REST + WebSocket APIs.

Out of scope

  • Customer applications running on HostStack. Report those directly to the team that owns the app — we will forward unsigned reports.
  • Denial-of-service attempts. We rate-limit aggressively; please don't try.
  • Social engineering / phishing of HostStack staff.
  • Findings that depend on physical access, malicious admin actions, or compromised customer credentials.

What we do

  • Session tokens are HTTP-only secure cookies, rotated on 2FA changes.
  • Passwords use Argon2id. 2FA recovery codes are Argon2id-hashed; plaintext is shown once and dropped.
  • Environment variables are encrypted at rest with AES-256-GCM. Multi-key rotation is supported.
  • API keys are stored as hashes; only the last 4 chars are kept in clear for the user to identify a key in the dashboard.
  • All deploys run inside Docker containers with capabilities dropped, a readonly rootfs, and per-service memory + CPU limits enforced by the kernel.
  • gVisor is available as the container runtime for additional kernel isolation on shared workers.
  • TLS via Let's Encrypt for custom domains; HSTS, X-Frame-Options, CSP, and Referrer-Policy are set at the reverse proxy.
  • Stripe webhook payloads are signature-verified; idempotency markers prevent replay.

Database high availability

Managed Postgres on the starter tier runs single-node with daily snapshots + S3 off-site backups; an agent-host outage means that database is unreachable until the host returns. For the standard and pro tiers we offer a Patroni-based HA option (1 leader + 2 sync replicas + HAProxy in front, automatic failover within ~5 seconds). HA is currently a per-team opt-in beta — enable it from a team's admin page, then either provision a new HA Postgres or upgrade an existing standalone via the database detail page (brief read-only window during the cutover; the standalone stays as a rollback target for 24 h).

What we don't do (yet)

We are transparent about gaps. The following are scoped for upcoming releases and are not currently part of the platform:

  • Cross-region (not cross-host) database failover. The HA option above places all three Patroni members in a single Hetzner region; a full-region outage would still take the cluster offline. Multi- region replication remains roadmap.
  • SOC2 / ISO27001 audit. We follow the controls; the audit itself is on the roadmap once paying revenue justifies the cost.
  • Customer-managed encryption keys (BYOK). Volumes use the host's full-disk encryption today; per-customer keys are a roadmap feature.

Sub-processors

The third parties HostStack relies on to deliver the service are listed in the Data Processing Agreement.

Essential cookies only — for login sessions. No tracking. Details