Security
How we protect your data and what to do if you find a vulnerability.
Ace Level is built with a primary focus on transparency, security, and privacy, on infrastructure we control end-to-end. This page describes what we actually do, in plain terms.
If you're a security researcher, a teacher, or just a curious student, this page is for you.
Security Practices and Compliance
We use ISO 27001 and SOC 2 control frameworks as a reference when making security decisions, without claiming formal certification against either. We also comply with GDPR, which means you have the right to access, export, or delete your personal data at any time.
Network/Infrastructure Security
Ace Level runs on virtualized private server instances we administer directly, rather than on a managed PaaS. Ace Level is solely responsible for the security of our infrastructure systems, including application servers, authentication, and gateways. This includes managing access, applying security patches to the operating system, other third-party software, and mitigating hardware vulnerabilities where appropriate. We monitor these systems in both an operational and security capacity.
-
Our application servers run in the United Kingdom and Singapore, with a separate node in the Netherlands. No origin server is exposed directly to the internet as every connection passes through reverse tunnels, and all internal communication runs over WireGuard.
-
Per-service encryption. Each service encrypts its data independently with its own keys, using AES-256 in authenticated encryption modes. Even if one layer of our infrastructure were compromised, the others remain sealed. Encryption keys are stored separately from the data they protect.
-
The database is a managed Postgres instance on AWS, hosted in the EU (Ireland). It's never reachable from the public internet; only our application servers can talk to it.
-
Encryption at rest. Production servers use file-level encrypted filesystems (AES-256-GCM). If a disk were ever physically removed, there's no readable Ace Level code or data on it.
-
Everything in transit is TLS. Cloudflare terminates TLS at the edge; traffic between Cloudflare and our origins is encrypted separately over tunnel infrastructure.
-
Network-level intrusion prevention. We run active threat detection on all servers, using community-fed blocklists and behavioral analysis to automatically ban IPs showing malicious patterns including port scanning, brute force, credential stuffing, and similar activity.
-
Audit logging. Critical servers have kernel-level audit trails that record privilege escalation, user management, file deletion, and network activity. These logs are append-only and cannot be tampered with.
We treat infrastructure separation as a security control, architected from the ground up. Our status and monitoring tooling runs on a separate, isolated host that holds no user data, which allows us to detect and respond to incidents without touching production systems.
Application Security
Ace Level ensures that any software we are responsible for developing meets an appropriate level of security. This includes ensuring the security of the software’s supply chain while conducting regular audits and testing.
Everything talks to everything else over WireGuard or Cloudflared. WireGuard is a VPN designed by vulnerability researchers for simplicity, auditability, and modern cryptography. Once a request arrives at our edge from the Internet, it is proxied to our origin through an encrypted Cloudflared tunnel. Internal communication between our servers runs over WireGuard.
-
Strict security headers on every response. Enforced both at our application layer and at the CDN edge.
-
Authentication is self-hosted and never handed off to a third party. We support OAuth sign-in as the primary method, which means we do not store passwords.
-
Locked-down CI/CD. Deploys are sequential, health-checked, and run with scoped tokens that exist only for the duration of the workflow. Secrets are pulled from a dedicated secrets manager at deploy time and they're never committed to the repository or baked into a container image.
-
Supply chain protection. Every dependency is locked to a specific version via pnpm's lockfile and audited for known vulnerabilities before reaching production. Our base images and CI actions are pinned to exact commit hashes rather than floating tags, preventing compromised upstream releases from affecting builds. Socket Firewall monitors for typosquatting and suspicious install scripts in real time. Every deployment generates an SPDX Software Bill of Materials, and deployed images are scanned by Trivy for OS-level vulnerabilities.
Corporate Security
Internal access to Ace Level infrastructure is protected by the same principles we apply to our application layer.
- Access to internal services is gated on a zero-trust identity provider, requiring authentication for every request.
- We enforce multi-factor authentication on all team accounts.
- Internal network access runs over WireGuard with default-deny rules, only explicitly allowed connections succeed.
- Outside of the core team, staff members do not have access to production servers or the database.
Data Protection
We collect as little as possible. If you don't create an account, we don't know who you are. If you do, the only things tied to your identity are your name, email, and avatar from whichever OAuth provider you chose, plus anything you explicitly save, like bookmarks. Under GDPR, you have the right to access, export, or delete your personal data.
- We never sell your data. We never use it to train AI models.
- You can delete your account at any time. When you do, your data is deleted within 7 days.
- Read the full breakdown in our Privacy Policy.
Responsible Vulnerability Disclosure
Found something? We absolutely want to know before anyone else does.
Email [email protected] with what you found and how to reproduce it. We read every report personally. We'll acknowledge real reports quickly and keep you posted as we address and fix them.
We support responsible security research. If you follow these guidelines, we will not pursue legal action against you:
In scope:
- Authentication and authorization flaws
- Injection vulnerabilities (SQL, XSS, CSRF, etc.)
- Access control bypasses
- Information disclosure
- Server-side request forgery
- Cryptographic weaknesses in our implementation
Out of scope:
- Social engineering (phishing, pretexting, baiting)
- Physical attacks against personnel or facilities
- Denial of service attacks (DoS/DDoS)
- Automated vulnerability scanners without prior written consent
- Attacks against third-party services (Cloudflare, AWS, GitHub, OAuth providers)
- Testing against accounts you do not own
- Accessing, modifying, or deleting data that is not yours
- Public disclosure before we've had a reasonable window to fix the issue
Rules of engagement:
- Stop immediately if you encounter sensitive user data. Report it to us, do not store or share it.
- Do not run automated tools against production. Ask us first as we may provide a staging environment depending on the scope.
- Do not perform testing that could degrade service availability for other users.
- Do not exfiltrate data beyond what is necessary to demonstrate a vulnerability.
- We ask for a minimum of 90 days before public disclosure.
- We will acknowledge your report within 48 hours and keep you updated on our progress.
What we offer:
We're a small, free, student-facing platform, so we can't offer a bug bounty in cash, but we'll credit you publicly if you'd like, and we won't forget who helped us.
Reporting Phishing/Impersonation
If you receive a phishing email/text or anyone attempting to impersonate us, it's useful to report it to us at [email protected] so that we can take action and make other students aware. We will never ask you for your password or any other sensitive credentials over the internet.
You may be asked to forward the content to [email protected] for further inspection.
Questions about any of this? Reach us at [email protected] for security matters, or [email protected] for anything else.