Fort Knox this is not
We take security seriously. We've said it on this page, which makes it legally true.
HTTPS enabled
The lock icon in the browser. That's our entire security strategy.
Passwords hashed
We use bcrypt. Or SHA-256. Or ROT13. Someone on the team handled this and they've since left.
Database encrypted
The database is encrypted at rest. Unfortunately, it's never at rest because it's constantly crashing.
API keys rotated
Our API keys have not been rotated since launch. They're also in a public GitHub repo. We know.
Penetration testing
We asked our friend to try to hack us. He got in immediately. We said 'nice' and moved on.
Bug bounty program
We can't afford to pay you for finding bugs when we can barely afford to create them.
Two-factor authentication
Available but the SMS never arrives. We think our Twilio account got suspended.
Security team
Our security team is one person who watches cybersecurity TikToks during lunch.
Full transparency. These are all our security incidents. That we know of.
Rotated the keys (first time ever). Dave was thanked for triggering our first-ever key rotation.
Nobody noticed for 3 weeks. Fixed when someone accidentally added auth while debugging something else.
Everyone was logged in as everyone. We called it a 'social feature' until we fixed it.
It expired. Site was down for 2 days. We blamed Cloudflare (it was not Cloudflare's fault).
If you discover a security vulnerability, please don't tell anyone. Just kidding — please report it to security@hatable.dev (which forwards to support@hatable.dev, which forwards to /dev/null).
We do not offer a bug bounty, but if your finding is particularly embarrassing, we will name a generated app after you.
Our PGP key is available upon request. We lost the private key but the public key is very nice to look at.