CISA Secure by Design Pledge

Signed: 2026-04-22 · Review cadence: annual

Securie has signed the CISA Secure by Design pledge, committing to the seven goals below. This page tracks how each goal manifests in our product.

1. Multi-factor authentication (MFA)

MFA is enforced for every Securie dashboard account. Passkeys / WebAuthn preferred; TOTP fallback. No password-only path in production.

2. Default passwords

Securie has zero default passwords anywhere in its codebase. All secrets are either randomly generated per-deploy or customer-provided via our secrets-management surface.

3. Reducing entire classes of vulnerability

Our own codebase is written in Rust (memory-safe) + TypeScript (typed). Our specialist agents target the OWASP Top 10 + OWASP API Top 10 at the class level — we ship patches that eliminate the class, not individual instances.

4. Security patches

Critical + high patches ship within 7 days of confirmation. Medium within 30 days. Every patch carries a signed attestation (in-toto + Sigstore) so operators can verify provenance before deploy.

5. Vulnerability disclosure policy

See our responsible-disclosure policy. We accept reports at security@securie.ai with a 24-hour acknowledgement SLA.

6. CVE accuracy

We request a CVE for every externally-reported vulnerability in Securie itself and populate CWE + CVSS-3.1 fields accurately. Our advisories link to the patch commit and the attestation.

7. Evidence of intrusion

Securie emits signed audit-log events for every privileged action (deploy-gate override, refund, admin config change) via our Security Data Platform. Customers can query their own tenant's evidence via the auditor-portal API.

Annual progress report

A public progress report publishes every April 22. The first report is due 2027-04-22.