Strength & Solidarity LLC

Of the Walles & the Quiet Reporting of Faultes

Security & Responsible Disclosure

Last reviewed: June 10, 2026

Strength & Solidarity LLC ("the LLC") takes the security of BellusTowne and its Citizens seriously. This page describes our current security posture, how we handle vulnerability reports, and how researchers can contact us responsibly.

1. Security posture

  • Row-Level Security (RLS): All database tables in the public schema enforce RLS policies. No unauthenticated query may access another Citizen's data.
  • Multi-Factor Authentication (MFA): TOTP-based second seals (authenticator apps) are available to all Citizens and required for privileged roles (Founder, Constables, Thanes).
  • Recovery codes: Hardware-seal recovery codes are generated server-side and shown once. They are hashed before storage.
  • Security-definer functions: Sensitive operations (role checks, balance queries, audit writes) useSECURITY DEFINER functions to prevent privilege escalation through RLS recursion.
  • Append-only audit ledgers: Critical tables (standing ledger, IP registry, market transactions) are append-only by database trigger and may not be altered or deleted by any application user.
  • Anomaly detection: Automated sweeps flag duplicate avatars, impersonation attempts, unusual standing transfers, and mass-download patterns.
  • Scoped secrets: Service-role credentials and webhook secrets are server-only and never bundled into client code.
  • Webhook verification: All incoming webhooks (Stripe, etc.) are verified by HMAC signature before processing.
  • Avatar allowlist: Uploaded portraits are validated against a strict allowlist of extensions, size limits, and MIME types before storage.

2. What we do not yet offer

We are transparent about the defenses we have not yet built so that researchers do not waste effort on known gaps:

  • We do not currently operate a formal bug-bounty programme or paid vulnerability-reward scheme.
  • Per-IP rate limiting on server functions is not yet deployed; we rely on infrastructure-level protections.
  • Automated dependency scanning in CI is not yet active; we audit manually on a regular cadence.
  • A formal published incident-response and breach-notification policy document is planned but not yet live.

3. Responsible disclosure

If you discover a security vulnerability in BellusTowne, we ask that you disclose it to us responsibly:

  1. Do not exploit the vulnerability beyond what is necessary to confirm its existence.
  2. Do not access, modify, or delete other Citizens' data.
  3. Do not attack our infrastructure with brute force, denial-of-service, or social-engineering techniques.
  4. Give us reasonable time to investigate and remediate before publishing any findings. We consider 90 days from first contact to be reasonable, and we will keep you informed of our progress.

4. How to report

Send reports to security@strengthandsolidarity.com. Please include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce, with minimal test cases if possible.
  • The affected components (URL, endpoint, table, etc.).
  • Your contact information and whether you wish to be credited.

We will acknowledge receipt within 72 hours and aim to provide a substantive update within 14 days.

5. Safe harbour

We will not pursue legal action against researchers who:

  • Follow the responsible-disclosure guidelines above.
  • Make a good-faith effort to avoid privacy violations and service disruption.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it.

This safe-harbour pledge does not extend to acts that are criminal under applicable law, nor to researchers who deliberately cause harm, exfiltrate data, or extort the Towne.

6. Recognition

With your permission, we will publish a thank-you note in the Towne Crier or on this page crediting researchers who have helped us improve our defences. We do not offer cash bounties at this time.

7. Changes

This disclosure policy may be updated as our security posture evolves. Material changes will be posted here with an updated "Last reviewed" date.

8. Contact

Strength & Solidarity LLC — security@strengthandsolidarity.com

Strength & Solidarity LLC dragon-shield emblem
Hearthsong silent