Security Policy

Effective Date: March 5, 2026

This policy defines baseline security commitments, vulnerability disclosure process, and operational security expectations for ReplayState deployments and pilots.

1. Security Principles

• Least-privilege access design for protected APIs and operational workflows.
• Auditability and evidence integrity for simulation and export artifacts.
• Operational visibility through structured logging and request-level traceability.

2. Current Snapshot Controls

• Bearer-auth enforcement on `/v1/*` endpoints.
• API key issuance and rate-limit metadata support.
• SHA-256 evidence checksum workflows for packet validation.

3. Production Hardening Roadmap

• Scoped keys and lifecycle controls (rotation, expiry, revocation).
• Role-based access controls for administrative operations.
• Queue durability hardening for async workloads.
• Expanded telemetry and SLO-aligned incident alerting.

4. Responsible Disclosure

To report a security issue, contact security@replaystate.com with a clear reproduction path, impact statement, and suggested mitigation if available.

Preferred report format:
- Affected endpoint/component
- Reproduction steps
- Expected vs actual behavior
- Impact and exploitability
- Proof artifacts (logs/screenshots/requests)

ReplayState will acknowledge submissions promptly and coordinate remediation timelines based on risk severity.

5. Incident Communication

Material incidents affecting confidentiality, integrity, or availability are communicated to affected institutional customers through designated security or operational contacts.