RelayLaunch takes the security of our AI Infrastructure with extreme seriousness. This policy covers the relaylaunch-console repository.

If you discover a security vulnerability, report it responsibly. Do not open a public GitHub issue. Our protocols dictate that potential exploits must remain classified until patched.

Email: security@relaylaunch.com

We acknowledge reports within 48 hours and aim to ship a fix within 7 days for critical issues.

• Dependabot scans dependencies daily and opens PRs for vulnerable packages.
• npm audit runs on every CI build — high-severity findings block deploys.
• Dependency review checks every PR for newly introduced vulnerabilities.

• Hosted on Vercel with built-in DDoS protection and edge network caching.
• Supabase provides PostgreSQL with Row Level Security (RLS) on all tables, guaranteeing absolute multi-tenant data isolation.
• Server Components by default — minimizes the client-side attack surface.
• All environment variables use server-side execution only (no NEXT_PUBLIC_ for secrets).
• Authentication via Supabase Auth with strict JWT validation.

• Parameterized queries are strictly enforced — no raw SQL concatenation.
• Migration files are subjected to peer and AI security review before deployment to the production cluster.

This policy covers:

• The relaylaunch-console repository
• The Control Center application and its API routes
• All CI/CD workflows in .github/workflows/
• Supabase database migrations and RLS policies
• The local Secure Live Infrastructure integrations

Out of scope: third-party services (Vercel, Supabase, Google Workspace, ElevenLabs) — report those to the respective vendors.

Out of scope: third-party services (Vercel, Supabase, Google Workspace, ElevenLabs) — report those to the respective vendors.