Security at ByteWire Forensics

Security is not just what we sell—it is how we operate. As a cybersecurity and digital forensics practice, we hold ourselves to the same standards we advise our clients to adopt.

Our Security Practices

The ByteWire Forensics website and Academy platform implement the following security controls:

• Authentication. Server-side session management with JWT tokens. Passwords are hashed using bcrypt (cost factor 12) and never stored in plaintext. Rate limiting is enforced on all authentication endpoints.
• Authorization. Role-based access control (RBAC) with server-side enforcement on every protected API route and page. Admin, instructor, and student roles are enforced at the API layer—not just the client.
• Transport Security. All traffic is encrypted in transit via TLS/HTTPS.
• Input Validation. All user-facing endpoints validate and sanitize input server-side. Email format validation, string length limits, and honeypot fields are applied to all intake forms.
• Rate Limiting. Sliding-window rate limiting protects login, registration, contact, and newsletter endpoints against brute-force and abuse.
• Audit Logging. Authentication events, administrative actions, enrollment changes, and contact submissions are logged with IP address, user agent, and timestamp for monitoring and incident response.
• Dependency Management. We monitor dependencies for known vulnerabilities and apply updates regularly.

Responsible Disclosure Policy

We value the security community and welcome responsible disclosure of vulnerabilities. If you discover a security issue in our website, Academy platform, or related infrastructure, we ask that you:

1. Report privately. Send your findings via our Contact page with a detailed description of the vulnerability, including steps to reproduce.
2. Allow reasonable time. Give us at least 90 days to investigate and address the issue before any public disclosure.
3. Do not exploit. Do not access, modify, or delete data belonging to other users. Do not perform denial-of-service attacks, social engineering, or physical security testing.
4. Act in good faith. Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.

We commit to acknowledging your report within 48 hours, providing status updates at least every 14 days, and crediting researchers (with permission) once the vulnerability is resolved.

We will not pursue legal action against researchers who report in good faith and comply with this policy.

Scope

The following are in scope for responsible disclosure:

• The ByteWire Forensics website (bytewireforensics.com)
• The ByteWire Forensics Academy platform (authentication, enrollment, API endpoints)
• Newsletter and contact form processing

The following are out of scope:

• Third-party services and infrastructure not operated by ByteWire Forensics
• Social engineering or phishing attacks against ByteWire Forensics personnel
• Physical security testing
• Denial-of-service attacks

Security Contact

• Security reports: Contact page
• PGP Key: Available upon request for encrypted communication
• Response SLA: Initial acknowledgment within 48 hours

Compliance Alignment

Our security practices are informed by and aligned with recognized frameworks including NIST Cybersecurity Framework (CSF), ISO 27001/27002, and OWASP Application Security Verification Standard (ASVS). We continuously evaluate our controls against these benchmarks as part of our commitment to operational security maturity.