Security posture + responsible disclosure

• Use a strong, unique password (long passphrase or password manager).
• If you use OAuth (Google, GitHub), the security of your EntrepreneurBible account depends on the security of that provider — keep their 2FA enabled.
• Don't share your account. One person per account.
• Sign out from shared devices (settings page).

• Auth: NextAuth.js v5 with JWT session tokens. Passwords hashed with bcrypt (cost 12).
• Transport: TLS 1.2+ minimum, HSTS preload, Cloudflare-proxied.
• Database: Supabase Postgres in EU region. Connections TLS-encrypted.
• Hosting: Hetzner Cloud (EU). Application servers behind Cloudflare.
• Backups: nightly encrypted DB backups with 30-day retention.
• Secrets: never committed to git. Rotated as needed.

Change your password from /settings. Sessions expire after 30 days of inactivity. If you suspect a session compromise, change your password — it invalidates existing sessions.

If you've found a security issue, please tell us before sharing publicly. Email security [at] entrepreneurbible.net with:

• A description of the vulnerability
• Steps to reproduce
• What an attacker could do with it
• Your contact for follow-up

We acknowledge reports within 48 hours and aim to resolve confirmed issues within 14 days for high-severity items. We don't currently run a bug bounty, but we credit researchers (with permission) and may award discretionary thanks.

• Reports without a working proof-of-concept
• Theoretical issues without practical exploit paths
• Issues in third-party dependencies (please report to upstream)
• Social engineering of our team or users
• DDoS / volumetric attacks (handled by Cloudflare)

We keep account and usage data as long as your account exists. Delete your account from/settings and we remove personal data within 30 days, except where law requires retention (financial records typically 7 years).

See our privacy policy for the current list of sub-processors (Supabase, Cloudflare, Resend, Hetzner, Stripe). Each has a signed DPA.