Security Policy &
Responsible Disclosure

Our Commitment

At Deca Dev Ltd, security is not a feature — it is the foundation. The DSEC OS platform is built from the ground up with a defence-in-depth approach: hardened kernels, mandatory access controls, encrypted storage, and immutable audit logging. We hold ourselves to the same standards we build for our clients.

We believe that security researchers and the broader community play a vital role in keeping systems safe. If you discover a vulnerability in our platform or this website, we want to hear from you.

Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it to us responsibly:

• Email: security@decadev.co.uk
• Subject line: Include "[VULNERABILITY]" so your report is prioritised.
• Encryption: If you need to share sensitive details, request our PGP key at the email above.

What to Include

A good vulnerability report helps us understand and reproduce the issue quickly. Please include:

• Description of the vulnerability and its potential impact.
• Steps to reproduce the issue, including any tools or scripts used.
• The URL or component affected.
• Your assessment of severity (critical, high, medium, low).
• Any supporting evidence (screenshots, logs, proof-of-concept code).

What to Expect

When you submit a vulnerability report, here is what you can expect from us:

• Acknowledgement: We will confirm receipt of your report within 2 business days.
• Assessment: We will investigate and provide an initial assessment within 5 business days.
• Resolution: We will work to resolve confirmed vulnerabilities promptly and keep you informed of progress.
• Credit: With your permission, we will acknowledge your contribution when the vulnerability is resolved.

Safe Harbour

We consider security research conducted in accordance with this policy to be authorised. We will not pursue legal action against researchers who:

• Make a good-faith effort to avoid harm to our users, our systems, and our data.
• Do not access, modify, or delete data belonging to other users.
• Do not degrade the performance or availability of our systems.
• Report vulnerabilities to us before disclosing them publicly.
• Allow us reasonable time to resolve the issue before any public disclosure.

Scope

In Scope

• The DSEC OS platform and its components.
• This website (dsecos.decadev.co.uk).
• APIs and services exposed by the DSEC platform.

Out of Scope

• Third-party services or websites linked from our site.
• Social engineering, phishing, or physical attacks against Deca Dev Ltd staff.
• Denial-of-service (DoS/DDoS) attacks.
• Automated scanning that generates excessive traffic.

Platform Security Measures

For transparency, here is a summary of the security measures built into the DSEC OS platform:

• Hardened OS: Rocky Linux 9.x with CIS Level 2 benchmarks applied.
• Mandatory access controls: SELinux enforcing mode with custom type enforcement policies.
• Container isolation: AppArmor profiles per container, rootless runtime, user namespace remapping.
• Network security: eBPF-based policy enforcement, private network namespaces per container.
• Encryption: LUKS2 at-rest encryption, TLS for all communications.
• Audit: Immutable, append-only audit journal for all security-relevant events.

Contact

For security-related matters:

Deca Dev Ltd — Security Team
Email: security@decadev.co.uk

For general enquiries, please use our contact page.