← Back to App Terms of Service Privacy Policy

Security Policy & Incident Response

This document describes Report Shield's security controls, vulnerability disclosure process, incident response procedures, breach notification policy, and response time commitments. It is published publicly to support agency security review processes and to establish accountability to our users.

FOR SECURITY RESEARCHERS: If you have discovered a potential vulnerability in Report Shield, please report it directly to security@reportshield.app before public disclosure. We commit to acknowledging your report within 24 hours and providing a remediation timeline within 72 hours.

1. Security Controls Summary

The following controls are currently active in the Report Shield platform. This list is maintained for agency IT and security reviewers.

Control	Status	Details
Multi-Factor Authentication	Active	TOTP MFA mandatory for all accounts. Maximum 1 factor per account enforced at provider level.
MFA Brute-Force Protection	Active	5 consecutive failed MFA attempts triggers immediate session termination. Applied at application layer in addition to platform rate limiting.
Password Reset Hardening	Active	hCaptcha on reset form. Rate limited to 3 requests per 15 minutes. Constant-time response prevents email enumeration. Password reset suspends account and clears all MFA factors pending admin re-approval.
Session Security	Active	Sessions stored in browser session storage only. Browser close clears session. 60-minute inactivity timeout. Sessions do not persist across browser restarts.
Zero Report Retention	Active	Report text is never written to any database or log by Report Shield. Anthropic API logs retained maximum 7 days per commercial API terms. ZDR agreement with Anthropic in progress.
Transport Security	Active	HTTPS enforced on all endpoints. HTTP Strict Transport Security (HSTS) with 2-year max-age and preload enabled via Vercel.
Content Security Policy	Active	CSP, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (no-referrer), Permissions-Policy enforced at server level.
Bot Protection	Active	hCaptcha on all authentication and password reset endpoints.
Database Row Level Security	Active	Supabase RLS policies enforced. Users can only read their own profile data. Admin operations require service role key.
Browser Cache Prevention	Active	Report input fields configured with autocomplete=off, spellcheck=false, autocorrect=off to prevent browser and extension caching of report content.
Officer Verification	Active	PTB certification number required at signup. Department email accounts auto-approved. Personal email accounts require manual PTB verification against the Illinois Professional Training Board.
CJIS Certification	Pending	CJIS Security Policy compliance certification is in progress. NCIC, LEADS, and criminal history data must not be submitted to the platform pending certification.
Third-Party Security Audit	Planned	SOC 2 Type I audit is planned. No third-party attestation has been completed at this time.
Anthropic Zero Data Retention	In Progress	ZDR agreement with Anthropic is being executed. Until complete, standard commercial API terms apply with 7-day log retention.

2. Responsible Disclosure Policy

Report Shield welcomes reports of potential security vulnerabilities from security researchers, agency IT personnel, and users. We are committed to working with reporters in good faith and resolving valid issues promptly.

To report a vulnerability:

Email security@reportshield.app with a description of the issue, steps to reproduce, and potential impact
Do not publicly disclose the vulnerability until we have had the opportunity to investigate and remediate it
Do not access, modify, or delete data belonging to other users in the course of your research
Do not perform denial of service testing or automated scanning without prior written authorization

What to expect after reporting:

Acknowledgment of your report within 24 hours
Initial assessment and severity classification within 72 hours
Remediation timeline communicated within 5 business days
Notification when the issue has been resolved
Public credit for the discovery if desired, after remediation

OUT OF SCOPE: Social engineering attacks against Report Shield staff or users, physical security attacks, denial of service, and spam or phishing campaigns are outside the scope of this program and will not be treated as valid reports.

3. Incident Classification

Security incidents are classified by severity to determine response priority and notification requirements.

Severity	Definition	Examples
CRITICAL	Unauthorized access to user data or report content, active exploitation of a vulnerability, account takeover at scale	Database breach, MFA bypass in production, unauthorized admin access
HIGH	Vulnerability that could lead to unauthorized access if exploited, single account compromise	Authentication flaw, privilege escalation, session hijacking
MEDIUM	Security control failure without confirmed data exposure, anomalous access patterns	Rate limit bypass, CSP violation, unexpected admin access attempt
LOW	Minor security issues, informational findings, configuration weaknesses without exploitability	Missing security header, outdated dependency without known exploit

4. Response Time Commitments (SLA)

The following response time commitments apply to confirmed security incidents from the time of detection or verified report.

CRITICAL SEVERITY

2 Hours

Initial response and containment actions initiated. Affected users notified within 24 hours.

HIGH SEVERITY

8 Hours

Initial response and investigation. Remediation or mitigation within 48 hours.

MEDIUM SEVERITY

24 Hours

Investigation and assessment. Remediation within 7 business days.

LOW SEVERITY

5 Business Days

Review and prioritization. Remediation scheduled in next maintenance cycle.

5. Incident Response Procedure

The following steps are taken upon detection or report of a confirmed security incident:

Detection & Triage (0–2 hours for Critical): Incident is identified through monitoring, user report, or researcher disclosure. Severity is classified. Incident commander is assigned.
Containment: Immediate steps are taken to stop ongoing unauthorized access. This may include revoking affected sessions, suspending compromised accounts, disabling affected features, or taking systems offline.
Investigation: Scope of impact is determined. Affected users and data are identified. Root cause analysis is initiated.
Eradication: The vulnerability or misconfiguration that enabled the incident is corrected. All affected systems are verified clean.
Recovery: Affected systems and accounts are restored to normal operation. Additional monitoring is applied to detect recurrence.
Post-Incident Review: Root cause documentation is completed. Controls are updated to prevent recurrence. This policy is updated if required.

6. Breach Notification Policy

In the event of a confirmed data breach involving user account information or report content, Report Shield will take the following notification actions:

Affected users will be notified by email within 72 hours of confirmed breach determination. Notification will include: what data was involved, what occurred, what steps we have taken, and what actions affected users should take.
Account suspension will be applied to any account confirmed to have been accessed without authorization, pending investigation and user verification.
Law enforcement will be notified where required by applicable law or where criminal activity is suspected.
Regulatory notification will be made as required by applicable state and federal law including Illinois breach notification requirements under 815 ILCS 530.
Public disclosure will be made via this page and direct email communication to all active users in the event of a material breach affecting platform security broadly.

IMPORTANT — CJIS DATA: Report Shield's CJIS certification is pending. Officers must not submit NCIC, LEADS, or criminal justice database data through this platform. In the event of a breach, Report Shield cannot be responsible for unauthorized CJIS data submitted in violation of platform restrictions.

7. Third-Party Security Commitments

Report Shield relies on the following third-party providers for core security functions. Their security posture directly affects Report Shield's security baseline.

Provider	Function	Security Commitment
Supabase	Authentication & database	SOC 2 Type II certified. HIPAA compliant. Platform-level rate limiting and MFA enforcement.
Anthropic	AI report analysis	Commercial API terms prohibit training on customer data. 7-day log retention. ZDR agreement in progress.
Vercel	Hosting & delivery	SOC 2 Type II certified. HTTPS enforcement and security header delivery.
Stripe	Payment processing	PCI DSS Level 1 certified. Card data never touches Report Shield infrastructure.
hCaptcha	Bot protection	GDPR compliant. Applied to all authentication and password reset endpoints.

8. Contact

Security issues, vulnerability reports, and breach notifications should be directed to:

Security Contact

For vulnerability reports and security inquiries:

security@reportshield.app

For general support: support@reportshield.app

Agency security reviewers may request additional technical documentation. We respond to documented requests within 5 business days.

COMMITMENT: Report Shield is committed to continuous improvement of its security posture. This page will be updated as new controls are implemented, certifications are achieved, and the platform evolves. The last-updated date at the top of this page reflects when this document was last materially revised.