Security
Defense in depth. Honest about gaps.
Device Provisioning
Each device is provisioned with a one-time token that expires after use. The device receives a unique upload secret stored only on the local machine. All subsequent uploads are authenticated with this secret — no passwords or API keys are transmitted.
Bundle Integrity
Every data bundle uploaded by the agent is signed and verified server-side. The publisher checks signatures before processing. Tampering is detectable at every stage. Ruleset versions are embedded in findings so results are reproducible.
Least Privilege Architecture
The web application uses read-only database credentials — it cannot modify session data. The publisher has scoped write access to ingest tables only. Admin operations require authenticated email verification against an allowlist. No single component has full system access.
Agent Security Model
The Vera agent runs as a Windows Service under the SYSTEM account with no network listening ports. It collects process and driver metadata through standard Windows APIs — no kernel driver, no injection, no hooking. The agent cannot modify games or interfere with anti-cheat systems.
Infrastructure
Data is stored in AWS RDS PostgreSQL with encryption at rest. Uploads pass through S3 with presigned URLs — the web app never touches raw bundle data. All web traffic is served over HTTPS via Vercel's edge network. Database credentials are rotated and stored as environment secrets.
Code Signing Status
Current agent builds are not code-signed with an EV certificate. Windows SmartScreen may show a warning on first install. We publish SHA-256 checksums for every release on GitHub so you can verify the installer independently. Code signing is on the roadmap.
Reporting Issues
If you discover a security issue, please report it privately via GitHub. We take all reports seriously and will respond promptly.