Security Policy
Last updated: April 6, 2026
1. Our Commitment to Security
At Launchpad Developers, Inc., we take the security of ChronoForge and the data entrusted to us seriously. We implement industry-standard security practices and continuously review our systems to protect against threats. Our security measures include:
- Encryption in transit: All communication between your browser and ChronoForge is encrypted using TLS (Transport Layer Security).
- Encryption at rest: Data stored in our Azure databases is encrypted at rest using Azure-managed encryption keys.
- Authentication: Passwords are stored using secure one-way cryptographic hashing. We do not store plaintext passwords.
- Access controls: Role-based access controls ensure users can only access data belonging to their own organization.
- Infrastructure security: Our application runs on Microsoft Azure, which provides physical security, network controls, and compliance certifications including ISO 27001 and SOC 2.
- Regular reviews: We conduct regular security reviews and code audits to identify and remediate vulnerabilities.
2. Reporting a Vulnerability
We welcome responsible disclosure of security vulnerabilities. If you have discovered a potential security issue in ChronoForge, please report it to us privately before making it public. This allows us to investigate and resolve the issue without exposing our users to unnecessary risk.
To report a vulnerability, please send an email to hello@launchpaddevs.com with the subject line "Security Vulnerability — ChronoForge".
Your report should include:
- A clear description of the vulnerability and the affected component
- Step-by-step reproduction instructions
- The potential security impact (e.g., data exposure, authentication bypass)
- Any proof-of-concept code or screenshots, if applicable
Please do not publicly disclose the vulnerability until we have had an opportunity to investigate and release a fix.
3. Response Timeline
We are committed to responding to security reports promptly:
- Acknowledgement: We will acknowledge receipt of your report within 2 business days.
- Initial assessment: We will provide an initial assessment of the severity and scope of the issue within 7 business days.
- Resolution: We aim to resolve critical vulnerabilities within 30 days. Complex issues may require additional time, and we will keep you informed of our progress.
4. Scope
This policy applies to the following systems operated by Launchpad Developers, Inc.:
- The ChronoForge web application at chronoforge.app
- The ChronoForge API (accessed by the web application)
5. Out of Scope
The following activities are out of scope for our responsible disclosure program and may result in legal action:
- Social engineering attacks against Launchpad employees or contractors
- Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
- Physical attacks against our infrastructure or personnel
- Testing against third-party services (Stripe, Azure, Brevo) — report issues directly to them
- Automated bulk scanning without a specific vulnerability target
- Accessing, modifying, or deleting data belonging to other users
6. Safe Harbor
Launchpad Developers, Inc. will not pursue legal action against security researchers who:
- Report vulnerabilities in good faith following the guidelines in this policy
- Avoid accessing, modifying, or exposing user data beyond what is necessary to demonstrate the vulnerability
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it
- Do not conduct testing that disrupts the Service for other users
7. Recognition
We appreciate the contributions of the security research community. Researchers who responsibly disclose valid security vulnerabilities may, with their consent, be acknowledged in our security hall of fame. Please indicate in your report whether you wish to be recognized.
8. Contact
For security-related inquiries, please contact hello@launchpaddevs.com with the subject "Security Vulnerability — ChronoForge".