Security

How the service is built

isitready.dev runs on Cloudflare Workers behind Cloudflare’s edge proxy with the platform’s standard DDoS protection. We use Cloudflare KV for cached scan reports and rate-limit fallback storage, Cloudflare D1 (single-region SQLite) for relational data, Cloudflare R2 for performance payloads, Cloudflare Queues for asynchronous scan jobs, Cloudflare Durable Objects for scan-concurrency gating, Cloudflare Email Service Send Email for transactional email, and Cloudflare Turnstile for human verification on scan submission, sign-in, and sign-up.

All public traffic is served over HTTPS with security response headers (HSTS, a Content Security Policy with a per-request nonce, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). The scanner only fetches public HTTP(S) endpoints; it does not authenticate to targets and does not bypass access controls.

Authentication

Accounts use Better Auth with email and password, optional social sign-in (Google, GitHub, Discord), optional time-based one-time-password two-factor with backup codes, device authorisation flows, and API keys for programmatic access.

Passwords are stored as salted hashes using scrypt (the Better Auth default). OAuth access and refresh tokens, two-factor secrets, and backup codes are encrypted at rest with a secret stored as a Cloudflare Workers secret. API keys are stored as hashes and shown only once on creation. Cloudflare Turnstile gates sign-in, sign-up, password reset, and scan submission.

Logs and observability

We use Cloudflare Observability with conservative head-sampling (logs at 10%, traces at 5%) and Cloudflare Workers Analytics Engine for sampled product/ops metrics. Product analytics events do not store raw IP addresses, raw user-agent strings, request bodies, full session tokens, or unredacted secrets. IP addresses used for the public-scan rate-limit fallback are stored as salted hashes only. Sampled access logs are retained for the period currently configured on our Cloudflare plan.

What we do not promise

No system is perfectly secure. We do not promise that the service will be free of vulnerabilities, will resist every threat, or will be available at all times. Specific contractual security commitments to a customer would need to be set out in a written agreement.

Reporting a vulnerability

If you discover a security vulnerability in isitready.dev, please email security@kordu.gg with a clear description, the affected URL/component, proof-of-concept steps, any artefacts (with sensitive data redacted), your name, and how you would like to be credited.

We aim to acknowledge receipt within 3 working days and to provide a substantive response within 10 working days. Where we cannot meet these targets, we will tell you why and propose a revised timeline.

Safe-harbour for good-faith research

Authorisation. To the extent your activity complies with this policy, we authorise you to access the in-scope systems listed below for the purpose of good-faith security research. Such activity is therefore authorised under the Computer Misuse Act 1990 (including section 17) and analogous provisions of the US Computer Fraud and Abuse Act.

If you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you under the CMA or CFAA, except where you exceed this authorisation. We will work with you in good faith and credit you if you wish.

Limits. This authorisation extends only to KORDU LTD-operated assets in the scope below. Third-party providers and target sites in any public report have their own policies; we cannot grant authorisation against them. We also cannot grant immunity from criminal offences that do not require a complainant, including the interception offences in the Investigatory Powers Act 2016 and CMA section 3ZA.

Conditions

• Targets only the assets listed in Scope below.
• Avoids privacy violations, destruction of data, and degradation of service.
• Avoids social-engineering attacks against our staff, users, or partners.
• Does not exfiltrate or retain other users' data beyond the minimum needed to demonstrate the vulnerability.
• Does not publicly disclose the vulnerability before a fix is released and we agree on a coordinated disclosure date.
• Complies with all laws other than those whose breach is excused by the authorisation granted above.

Scope

• In scope: https://isitready.dev and its subdomains, the public scanner endpoints, the dashboard, the public reports directory, and any APIs published as part of isitready.dev.
• Out of scope: third-party services we depend on (Cloudflare, Better Auth, Polar, Google, GitHub, Discord); target sites in any public report; denial-of-service or volumetric-load testing; social or supply-chain attacks against staff, contractors, or vendors.

Recognition

We do not currently run a paid bug-bounty programme. If we introduce one, this page will be updated.

Status and breach notification

For incidents involving personal data we will follow the breach-notification process in the Privacy Policy, including notifying the ICO within 72 hours where Article 33 UK GDPR applies and notifying affected individuals where the risk is high.