Everything on this page is observable, dated, and auditable. If you are evaluating us for work that touches sensitive data, this should answer most of your questions in under five minutes.
Every repository runs static analysis on every pull request. We block merges on findings we cannot reason away, not on warnings.
Dependabot watches the tree. CI runs npm audit at high-severity threshold on every push. Shai-Hulud-class provenance checks run on new releases to packages that touch secrets or payments.
No secret is allowed to reach our git history. A pre-commit hook blocks commits with leaked credentials. CI runs gitleaks on every push and every scheduled sweep. Every key has a rotation date.
Pre-launch, every Impleia-built site goes through a Shannon pentest against a staging environment with source in hand. Findings are reported with working proofs of concept. We run the same process on our own site on a quarterly cadence.
If you believe you have found a security issue in anything we operate — impleia.com, a client site we built, an API we expose — report it and we will respond.
security@impleia.comWe commit to an acknowledgment within 24 hours and a first substantive response within 72 hours.
We do not run a paid bounty program today. We will credit you publicly in our changelog (if you want), and for substantive reports we will send a thank-you that is not just a t-shirt.
Before any scan, the client signs a clause that names the in-scope systems, the test window, and the out-of-scope vendors. The clause is written to work on both sides of the U.S.-Mexico border.
This page is authored by hand. Badges reflect the state of our public repositories as of the last dated audit. Machine-readable status feeds will be added alongside the next audit.