Security

Report a vulnerability

Email security@carrental.callnsms.com. Please include steps to reproduce, impact, and any proof-of-concept. We respond within 72 hours.

We will not pursue legal action against researchers acting in good faith. If the vulnerability is confirmed, we credit you in our security advisory at your option.

Machine-readable version: /.well-known/security.txt.

Controls in place

• TLS 1.2+ with Let's Encrypt auto-renewal. HSTS with includeSubDomains.
• bcrypt password hashing (work factor 12); no password stored in plaintext.
• Every JWT carries a jti claim; tokens can be revoked instantly.
• Optional TOTP 2FA on every account.
• Row-level tenant isolation enforced in every query.
• Rate-limited login / signup / forgot-password / 2FA-verify endpoints.
• Content-Security-Policy, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy denies camera/mic/geolocation.
• Upload content-type whitelist + magic-byte sniffing; no .exe or scripts stored.
• Image uploads stripped of EXIF metadata.
• Log redaction of Authorization, Cookie, password, access_token.
• Every write emits an audit_logs row with the acting user's identity.
• Nightly PostgreSQL dump + 14-day retention, off-host.

In flight

• OIDC / SAML single sign-on (Zitadel or Keycloak).
• SOC 2 Type I controls attestation (Q3 2026 target).
• Third-party penetration test (Q3 2026 target).
• Field-level encryption for PII (CNIC).
• Point-in-time recovery via WAL archiving.

Scope (in-scope targets)

• rentacar.callnsms.com (app + API).
• /.well-known/security.txt parsing.

Out of scope

• Denial-of-service tests. Rate-limit bypass without impact. Automated scanners that repeatedly submit forms.
• Vulnerabilities in third-party services we depend on (Stripe, JazzCash, Twilio, Resend …) — report those to the vendor.