Security

Our public security posture, vulnerability-disclosure procedure, and audit commitments.

Reporting a vulnerability

If you believe you have found a security issue affecting Rayn (the website, the API, the client applications, or any related infrastructure) we want to hear from you. Email legal@raynlabs.io with the subject line Security Report.

Please include:

  • A description of the issue and the steps to reproduce it
  • The component affected (web, API, client, infrastructure)
  • Your assessment of severity and any proof-of-concept material
  • Whether you intend to publish your findings, and on what timeline

We acknowledge reports within 72 hours, triage within 7 days, and aim to remediate critical issues within 30 days. We support coordinated disclosure and ask researchers to give us reasonable time to remediate before public disclosure.

Safe harbor

We do not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations and service disruption
  • Only interact with their own accounts or accounts they have explicit permission to test
  • Do not exfiltrate data beyond what is necessary to demonstrate the issue
  • Give us reasonable time to remediate before public disclosure

Audit and transparency

Rayn Labs is committed to publishing third-party security audits as the company matures. We plan to engage an independent firm to audit the client applications and core network infrastructure within twelve months of public launch, and to publish the resulting report.

We also plan to publish an annual transparency report covering law-enforcement requests received and our response to each, in line with industry practice.

Our security commitments

  • Modern authenticated encryption (AES-256-GCM, ChaCha20-Poly1305) on every protocol
  • TLS 1.3 for all web and API traffic; HSTS preloaded
  • Strict Content Security Policy with no inline scripts (see our deployed headers)
  • Salted-and-hashed password storage
  • No-log policy for connection metadata, DNS queries, and traffic content
  • Segmented server pools to contain the impact of any single incident

Contact

Security issues: legal@raynlabs.io
Privacy questions: privacy@raynlabs.io