company · security · responsible disclosure
Security at oknek.
We are a security company. Our credibility depends on being secure ourselves. This page documents how to report a vulnerability you find in any oknek artifact, our SLA for responding, what's in scope, and the public-facing security practices that protect oknek.com and the daemon.
found something? · we want to know
Reporting a vulnerability.
Email [email protected] with a clear write-up of the finding, reproduction steps, and the impact. PGP welcome but not required. Please do not disclose publicly before we have had a chance to confirm and remediate.
We follow coordinated disclosure: we acknowledge receipt within 48 hours, triage within 5 business days, and aim to ship a fix or mitigation within 30 days for high-severity findings. We will credit you in the changelog and on the acknowledgments list below unless you ask to remain anonymous.
Machine-readable disclosure metadata is published at /.well-known/security.txt.
in scope · out of scope
What we want reports about.
In scope
- The
oknekddaemon (any version) - The
oknekCLI - The base rule pack (R1–R7) — false negatives, bypass techniques, evasion
- The signed rule-pack update channel
- Cloudflare-hosted oknek.com, including
/api/*endpoints - The install.sh script and its integrity verification
- D1-stored email signups (privacy + integrity)
Out of scope
- Findings from automated scanners without working PoC
- Self-XSS, missing rate limits on non-sensitive endpoints, clickjacking on pages without sensitive state
- Email spoofing on a domain we don't own
- Vulnerabilities in third-party services (Cloudflare, Resend, GitHub) — report those upstream
- Open-redirect on docs links to external sites
- SPF/DKIM/DMARC issues on hosts we don't run mail from yet
- Social engineering of our team
what protects oknek itself · audit-ready receipts
Our own security posture.
A security company that fails a basic audit is dead on arrival. Below is the live state of oknek.com across three layers: the HTTP application surface, the Cloudflare edge that fronts every request, and the operational practices behind the scenes. Verify any of it with curl -I https://oknek.com/ or external scanners like Mozilla Observatory.
Application layer (our HTTP responses)
| Control | State |
|---|---|
HSTS (preload-ready, 2 years, includeSubDomains) | ✓ enabled |
| Content Security Policy (strict, no inline JS without explicit allow) | ✓ enabled |
| X-Frame-Options: DENY · X-Content-Type-Options: nosniff | ✓ enabled |
| Permissions-Policy (camera, mic, geo, payment, USB, sensors all disabled) | ✓ enabled |
| Cross-Origin-Opener-Policy · Cross-Origin-Resource-Policy | ✓ enabled |
Referrer-Policy: strict-origin-when-cross-origin | ✓ enabled |
/api/signup rate-limited (5 req/IP/60s, D1-backed) | ✓ enforced |
| Email-enumeration leak on signup endpoint | ✓ closed |
| Custom 404 page (no info leak via stack traces) | ✓ live |
/.well-known/security.txt · disclosure policy linked | ✓ live |
Edge layer (Cloudflare, in front of every request)
| Control | State |
|---|---|
| TLS 1.3 negotiation · Google Trust Services cert · auto-renewing | ✓ enforced |
| SSL/TLS mode: Full (Strict) (visitor↔CF↔origin all encrypted + cert-validated) | ✓ enforced |
| DNSSEC at Cloudflare | ✓ active |
| CAA records (cert-issuance allowlist) | ✓ Google + Let's Encrypt only |
| HTTP DDoS attack protection (L7, CF-managed ruleset) | ✓ always-active |
| Network-layer DDoS protection (L3/L4: SYN-flood, ACK, UDP, Mirai-class) | ✓ always-active |
| SSL/TLS DDoS protection (handshake-exhaustion, SSL renegotiation attacks) | ✓ always-active |
| Bot Fight Mode (signature-based bad-bot blocking) + JS Detections | ✓ enabled |
| Browser Integrity Check (blocks malformed/missing UA headers) | ✓ enabled |
| Email Address Obfuscation (slows email-harvester scrapers) | ✓ enabled |
| Replace Insecure JS Libraries (auto-swaps Polyfill et al. for cdnjs equivalents) | ✓ enabled |
| AI crawlers (GPTBot, ClaudeBot, PerplexityBot, Google-Extended) — allowed by design, robots.txt is authoritative | ✓ allowed |
| Web Analytics — cookieless, no PII, no cross-site tracking | ✓ active |
Operational
| Control | State |
|---|---|
| Account-level 2FA on Cloudflare | ✓ enabled |
| API tokens — scoped, file-perm 0600 on local disk, never committed | ✓ enforced |
| D1 database — primary region ENAM · backups planned post-launch | ✓ live |
| Privacy policy + Terms of Service published | ✓ live |
| SOC 2 Type 1 audit | — planned for v2 cycle |
| Public bug bounty (HackerOne / Bugcrowd) | — planned post-launch |
| Annual independent penetration test | — planned year 2 |
researchers who made us safer
Acknowledgments.
Hall of fame for security researchers who responsibly disclosed issues in oknek. Empty for now — we shipped yesterday. When the list fills, you'll find it here.
Be the first to land on this page. Email [email protected].
More on the security posture.
Browse the rule catalog, our pricing, or get in touch directly.