Security Policy
Security model, vulnerability reporting, and customer responsibilities for Webtunel workloads.
Last updated: June 15, 2026
Platform controls
Webtunel uses Supabase Auth for account sessions and password reset, owner-scoped dashboard records, scoped API keys, short-lived stream keys, and audit records for billing and runtime events.
The account portal and runtime are separated so dashboard features can remain stable while GPU worker orchestration scales independently.
Payment and billing controls
Stripe Checkout handles payment card collection. Webtunel does not store full card numbers or card verification codes.
Credit is only posted after signed Stripe webhook confirmation. Admin credit adjustments and pricing policy changes are recorded for auditability.
Customer responsibilities
Keep account passwords, API keys, worker tokens, registry credentials, environment variables, and stream keys secret. Rotate exposed keys quickly.
Docker images should avoid logging secrets, should validate payloads, and should write artifacts only to intended locations.
Responsible disclosure
Report vulnerabilities to security@webtunel.com. Include steps to reproduce, affected URLs or endpoints, impact, and whether any data may have been accessed.
Do not access, modify, delete, or exfiltrate other users' data. Do not run destructive tests, denial-of-service tests, or social engineering.
Incident response
We may revoke keys, rotate credentials, disable workloads, notify affected users, and preserve logs when investigating suspected incidents.
Security-related retention may continue after account closure where needed for abuse prevention, legal compliance, or dispute handling.