back[candle] · Security

Security policy.

We take the security of the platform and your data seriously. This page outlines our security practices and how to responsibly report a vulnerability if you find one.

Last updated 2026-04-21 Disclosure coordinated Response SLA 48 hours

01 Platform security

  • Authentication — all user authentication is handled via Google OAuth 2.0. We do not store passwords. Session tokens are short-lived and stored server-side.
  • Transport — all traffic is served over HTTPS with HSTS headers. HTTP connections are redirected.
  • Data isolation — each user's session data, trade records, and journal entries are logically isolated. API endpoints enforce ownership checks on all resources.
  • Input validation — every request is validated and sanitized at the API boundary. Database access uses parameterized queries exclusively, eliminating SQL injection across the stack.
  • Dependency hygiene — third-party libraries are pinned to known-good versions and continuously audited against published vulnerabilities. Security patches are applied on an accelerated timeline.

02 Responsible disclosure

If you discover a security vulnerability in Backcandle, please report it to us before disclosing it publicly. We commit to:

  • Acknowledge your report within 48 hours
  • Provide a status update within 7 days
  • Work with you to understand and reproduce the issue
  • Notify you when the vulnerability is resolved
  • Credit you (by name or handle, as you prefer) in our changelog if you wish

We ask that you do not access, modify, or delete data belonging to other users during research, and that you do not disclose the issue publicly until we have had reasonable time to address it.

03 How to report

Email security@backcandle.com with:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant URLs, request/response samples, or screenshots
  • Your preferred contact method for follow-up

For sensitive reports you can encrypt your email using our PGP key — available on request from the same address.

04 Scope

In scope: backcandle.com and all subdomains, the web application, and the REST API.

Out of scope: social engineering, phishing, physical attacks, volumetric denial-of-service, and issues in third-party services we do not control (Google OAuth infrastructure, CDN providers).

05 Bug bounty

We do not currently operate a formal paid bug bounty program. We do credit researchers in our changelog and are happy to discuss recognition for significant findings.