VUCA
VUCA NEWS · SECURITY

Security posture

A plain statement of how the platform is built and run today. This is a public-beta posture described honestly — not an enterprise compliance claim.

AUTHENTICATION & ACCESS CONTROL

Reader accounts use Supabase Auth (email-based). The editorial desk is a separate, explicitly-granted role: every admin action re-verifies the session and editor membership server-side, and all privileged writes go through the service role on the server — no privileged key ever reaches a browser. Public database access is read-only, enforced by row-level security. Machine publication is bounded by a server-enforced policy that pipeline code can narrow but never widen.

DATA & RETENTION

The public record (scores, claims, revisions, forecasts, source ledger) is append-only by design and retained indefinitely — that permanence is the product. Personal data is minimal (see /privacy): account email, handle, watchlists, forecast history. Accounts can be deleted on request; forecast history is anonymized rather than erased, because scored public predictions are part of the accuracy record.

LOGGING, BACKUPS & AUDIT

Every editorial and administrative action writes an audit row (actor, action, subject, timestamp). Database backups run on the managed platform's schedule (daily, with point-in-time recovery). Pipeline runs are logged per execution in CI, so any published artifact can be traced to the run that produced it.

EMBEDS

Public widgets under /embed are intentionally served with permissive framing (frame-ancestors *): they are designed to be embedded anywhere, contain only public data, and carry no session state. Future private or premium embeds will use scoped origins and signed access — the open posture applies to the public layer only.

REPORTING A VULNERABILITY

Email christopher@vucanews.com with subject SECURITY. You'll get an acknowledgment, a fix or a timeline, and credit if you want it. Good-faith research against your own account's scope is welcome; please don't degrade the service for others. The same address is the incident-response contact.

ROADMAP

Before any paid tier: formal privacy review, dependency audit cadence, key-rotation runbook, and scoped/signed embeds. Enterprise asks (SSO, audit export, private workspaces) come after the public trust layer has earned it.