Security at RoboDIB

We take security seriously. This page describes how we protect your data and how to responsibly report a vulnerability if you find one.

How we protect your data

Encryption in transit

All data between your browser and our servers is encrypted with TLS 1.3. We enforce HTTPS across all subdomains with HSTS.

Authentication

We use OTP-based passwordless login with short-lived session tokens (30 days). Tokens are rotated on each login and invalidated on logout.

Data minimisation

We only collect data we actually need. Location data requires explicit opt-in. We never store raw payment details — only payment confirmation references.

Infrastructure

Our backend runs on hardened cloud infrastructure. MongoDB is not exposed to the public internet. Admin access requires VPN + MFA.

Responsible disclosure

If you discover a security vulnerability in RoboDIB, please report it to us privately before any public disclosure. We will investigate and respond within 72 hours.

Email: [email protected]

Please include:

A clear description of the vulnerability
Steps to reproduce
Potential impact assessment
Your contact information (optional for recognition)

We ask that you do not publicly disclose the issue until we have had 90 days to resolve it. We do not currently offer a bug bounty programme, but we will publicly acknowledge responsible reporters (if they wish).

In scope

robodib.com and api.robodib.com
Authentication and session handling
Data access controls and authorisation issues
Injection vulnerabilities (SQL, NoSQL, command)
Cross-site scripting (XSS) with meaningful impact

Out of scope

Social engineering attacks against our staff
Physical attacks against our office or infrastructure
Denial of service attacks
Spam or automated account creation
Issues in third-party services we use