Security
Effective 23 May 2026 · Version 2.0
This page documents Vela's security architecture, the controls we operate, how we handle incidents, and how to disclose a vulnerability safely. Referenced from the Terms, Privacy Policy and DPA as our Article 32 technical and organisational measures.
1.Architecture overview
- Control plane — Go service handling auth, billing, account state. Stateless beyond Postgres + Redis, behind Caddy with HSTS.
- Gateway — Go SOCKS5 / HTTP CONNECT terminator with per-flow auth, allow-list enforcement, sticky routing, per-byte metering.
- Database — PostgreSQL, network-isolated, no public ingress.
2.Authentication & secrets
- Argon2id password hashing tuned to ~250 ms
- JWT HS256 session tokens with short TTLs
- API keys bcrypt-hashed; plaintext shown once
- Admin: X-Admin-Token verified with constant-time compare, rate-limited per IP
3.Transport & abuse hardening
TLS 1.2+ everywhere; HSTS with preload. SOCKS5 ATYP=3 (socks5h://) only — DNS always traverses the gateway. Background TCP health-check of upstream nodes every 5 minutes.
4.Coordinated vulnerability disclosure
Send findings to security@vela.watch. Safe-harbour for good-faith research; we acknowledge within 24 hours, triage within 72.
| Stage | Target |
|---|---|
| Acknowledge receipt | ≤ 24 hours |
| Initial triage | ≤ 72 hours |
| Critical/High remediation | ≤ 14 days |