How Aembit handles its own security
We build identity management software. We are held to the same standards we ask of your workloads — documented architecture controls, responsible disclosure, and an audit trail of our own access decisions.
Compliance
How we document our security posture
Audit completed March 2026. Audit period: September 2025 – February 2026. Report available to customers evaluating Aembit for production use. Covers Security, Availability, and Confidentiality trust service criteria. Contact us to request the report.
Request reportNo credential database — Aembit issues ephemeral tokens and never stores credential material. All API communication uses TLS 1.3 minimum. Audit logs are encrypted at rest (AES-256). The control plane runs in isolated tenant namespaces with least-privilege access reviewed quarterly.
- AES-256 encryption at rest
- TLS 1.3 minimum in transit
- Tenant namespace isolation
- Zero stored credential material
- Dependency scanning on every PR
Responsible disclosure
Found a vulnerability?
Encrypt your report using our PGP key (available on the keyserver at keys.openpgp.org). Include reproduction steps, affected version, and impact assessment if you have one.
We acknowledge reports within 24 hours and provide a severity assessment within 72 hours. Critical vulnerabilities are patched within 7 days. We coordinate disclosure timeline with the reporter.
We offer bounties ranging from $250 (low) to $10,000 (critical) for verified vulnerabilities in the control plane, proxy sidecar, and attestation flow. We do not pursue legal action against good-faith researchers.