Security Policy

Last updated: 8 March 2026

Responsible Disclosure

We welcome reports of security vulnerabilities in our systems. If you discover a vulnerability, please report it to [email protected].

Scope

The following systems are in scope for security reports:

  • catalyst-neuromorphic.com (website)
  • api.catalyst-neuromorphic.com (Cloud API)
  • @catalyst-neuromorphic/cli (CLI tool)
  • catalyst-cloud (PyPI SDK package)
  • AWS Marketplace AMI (FPGA runtime)
  • FPGA bitstream distribution and licensing

The following are out of scope:

  • Social engineering or phishing attacks against employees
  • Denial of service attacks
  • Automated scanning without coordination
  • Reports from automated tools without a demonstrated impact

Guidelines

  • Do not access, modify, or delete data belonging to other users.
  • Do not degrade service availability.
  • Provide sufficient detail for us to reproduce the issue.
  • Allow 90 days for remediation before public disclosure.

What We Commit To

  • Acknowledge receipt within 48 hours.
  • Provide a severity assessment within 5 business days.
  • Keep you informed of remediation progress.
  • Credit you (if desired) once the fix is deployed.
  • Not pursue legal action against researchers acting in good faith.

Security Practices

Catalyst Neuromorphic implements the following security measures:

Authentication

  • Passwords hashed with bcrypt (PBKDF2 fallback, 200,000 iterations)
  • Session tokens: 256-bit random, SHA-256 hashed before storage
  • API keys: 256-bit random, stored as SHA-256 hashes only
  • TOTP two-factor authentication with backup codes
  • HMAC request signing for API key authentication (SHA-256, HKDF-derived keys)
  • OAuth via GitHub and Google with CSRF state verification

Data Protection

  • All connections over TLS (HTTPS enforced)
  • Database encrypted at rest (Fly.io volumes)
  • Continuous database replication to encrypted S3
  • CLI credentials encrypted with AES-256-GCM (OS keyring preferred)
  • Stripe handles all payment card data (PCI DSS compliant)

Infrastructure

  • Hosted on Fly.io (London region, SOC 2 Type II)
  • Cloudflare CDN with DDoS protection
  • Rate limiting on all authentication and API endpoints
  • Automated cleanup of expired tokens and sessions
  • Health monitoring with database connectivity verification

IP Protection

  • SDK and RTL source distributed as compiled binaries only
  • FPGA bitstreams delivered via signed, time-limited download URLs
  • License key validation with HMAC integrity
  • Device binding for hardware deployments

Contact

Security reports: [email protected]

General enquiries: [email protected]