Account authentication
Account passwords are hashed before storage. The application also implements passkey registration and authentication routes. Session and authorization checks protect signed-in pages and server actions.
This page describes controls visible in the current AdverseMonitor application and states where public assurance evidence is not available. It is not a certification report.
Account passwords are hashed before storage. The application also implements passkey registration and authentication routes. Session and authorization checks protect signed-in pages and server actions.
API requests require bearer authentication. Stored API-key records use a key prefix for identification and a hash for verification. Keys can expire, be revoked, and are subject to plan and endpoint checks.
Application queries associate customer resources such as profiles, keys, and usage with the authenticated user. Database migrations include row-level security policies as an additional access boundary.
Authentication, general application requests, and public API use have implemented rate-limit checks. API usage and application activity are recorded for operational review.
Email recipients and collaboration webhooks are customer-configured fields. A monitoring profile can be used dashboard-only with every outbound notification channel left blank.
The product matches customer-supplied terms against collected threat records. It does not require an agent inside the customer network for the monitoring workflow described on this site.
If you believe you found a vulnerability, send a concise report to security@adversemonitor.com with the affected URL, reproduction steps, potential impact, and any supporting evidence. Do not access other users’ data, disrupt service, or use social engineering.
This address is for inbound reports. Visiting this page or using the product does not trigger an email.