Security

Security Policy

Security model, vulnerability reporting, and customer responsibilities for Webtunel workloads.

Last updated: June 15, 2026

Platform controls

Webtunel uses Supabase Auth for account sessions and password reset, owner-scoped dashboard records, scoped API keys, short-lived stream keys, and audit records for billing and runtime events.

The account portal and runtime are separated so dashboard features can remain stable while GPU worker orchestration scales independently.

Payment and billing controls

Stripe Checkout handles payment card collection. Webtunel does not store full card numbers or card verification codes.

Credit is only posted after signed Stripe webhook confirmation. Admin credit adjustments and pricing policy changes are recorded for auditability.

Customer responsibilities

Keep account passwords, API keys, worker tokens, registry credentials, environment variables, and stream keys secret. Rotate exposed keys quickly.

Docker images should avoid logging secrets, should validate payloads, and should write artifacts only to intended locations.

Responsible disclosure

Report vulnerabilities to security@webtunel.com. Include steps to reproduce, affected URLs or endpoints, impact, and whether any data may have been accessed.

Do not access, modify, delete, or exfiltrate other users' data. Do not run destructive tests, denial-of-service tests, or social engineering.

Incident response

We may revoke keys, rotate credentials, disable workloads, notify affected users, and preserve logs when investigating suspected incidents.

Security-related retention may continue after account closure where needed for abuse prevention, legal compliance, or dispute handling.