Security — MoonBase

Security at MoonBase

Security isn’t a feature. It’s a requirement. Here’s how we approach it.

Infrastructure security

HTTPS everywhere

All traffic to MoonBase — the platform and every site we host — is encrypted in transit. TLS certificates are provisioned automatically and renewed before expiry.

Encrypted storage

Project files and environment variables are encrypted at rest. Environment variable values are write-only after save — they cannot be retrieved in plaintext through the MoonBase interface.

Isolated deployment environments

Each project runs in an isolated environment. One project’s resources cannot access another’s.

DDoS protection

MoonBase infrastructure includes network-level DDoS mitigation.

Access control

Authentication

MoonBase uses secure session-based authentication. Passwords are hashed using modern algorithms (bcrypt/argon2). We do not store plaintext passwords.

API keys

API keys are hashed at rest. If a key is compromised, it can be revoked immediately from your account settings.

Team access

Project access is scoped. Inviting a team member to a project gives them access only to that project, not your entire account.

Code and data security

Your code is yours

We do not claim ownership of your project files. We do not use your code to train models. We do not sell or share your data with third parties except as described in our Privacy Policy.

Red flag scanning

MoonBase’s Inspector scans uploaded projects for common security issues: hardcoded API keys, exposed credentials, absolute filesystem paths that suggest a credential leak. Findings are reported to you before deployment.

No build log leakage

Environment variables are never logged. Build output is sanitized before storage.

Vulnerability disclosure

If you discover a security vulnerability in MoonBase, please report it responsibly.

Security contact: [email protected]

We ask that you:

Give us reasonable time to investigate and fix the issue before public disclosure
Not access, modify, or delete data that doesn’t belong to you
Not perform automated scanning that degrades service for other users

We will:

Acknowledge your report within 2 business days
Keep you updated on our progress
Credit you in our disclosure (if you want to be credited)

We do not currently operate a paid bug bounty program, but we appreciate responsible disclosure.

Compliance

See our Compliance page for information on GDPR, CCPA, SOC 2, and other regulatory frameworks.

Incident history

See our Incident History page for a log of past security and availability incidents.