Security Policy

Last updated: March 2026

Reporting a vulnerability

If you discover a security vulnerability in any 8Network product or website, please report it responsibly.

Email: [email protected]

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Affected product or URL
  • Your assessment of severity

Our response

  • We will acknowledge your report within 48 hours
  • We will provide a timeline for a fix within 7 days
  • We will notify you when the vulnerability is resolved
  • We will credit you in the advisory (unless you prefer to remain anonymous)

What we commit to

  • Free security updates for all supported products
  • Transparent disclosure of fixed vulnerabilities
  • SBOM (Software Bill of Materials) for all releases
  • Coordinated vulnerability disclosure
  • 24-hour incident reporting to EU authorities for actively exploited vulnerabilities (from September 2026, per EU Cyber Resilience Act)

Open source

The core components of 8Vast are open source. You can audit the code that runs on your machine:

Security issues in open source components can also be reported via GitHub Security Advisories.

Infrastructure

  • All websites hosted on Cloudflare Pages (EU)
  • All data stored in EU data centers (Hetzner, Germany)
  • TLS 1.3 enforced on all connections
  • No user data transmitted outside the EU without explicit consent

Compliance

8Network is preparing for compliance with the EU Cyber Resilience Act (CRA), with vulnerability reporting obligations from September 2026 and full compliance by December 2027. We are also committed to GDPR, the Digital Services Act, and the EU AI Act.

Scope

This security policy covers all 8Network products and websites: 8network.io, 8vast.io, 8salon.io, 8self.io, 8ids.io, status.8vast.io, and all software distributed under the 8Network brand.