Security · Vulnerability Disclosure

Security at Manera

Manera is built by a solo founder in partnership with Claude. That makes our supply chain unusually small, but it also means we cannot afford a slow response when things go wrong. This page is our public commitment to how we handle security — for researchers, for customers, and for auditors.

Report a vulnerability: [email protected]

1. Vulnerability disclosure policy

If you've found a security vulnerability in any Manera product or domain, we want to hear from you. Email [email protected] with:

A clear description of the vulnerability and the affected URL or asset
Reproduction steps (curl request, browser screenshot, minimal proof-of-concept)
The impact you believe it has (data disclosure, account takeover, RCE, etc.)
Whether you intend to publish a writeup and on what timeline

Our service-level commitments

24hAcknowledgement

7dCritical fix

30dHigh / Medium fix

On resolution we publish a CVE (where applicable), credit the reporter (if they wish), and update the affected sub-app's changelog. We do not gag researchers, and we do not require a non-disclosure agreement before discussing technical details.

2. Scope

In scope — every domain we operate, including:

YESmaneratech.com (corporate site, billing, signup, /api gateway)
YES*.maneratech.com sub-app domains: cyber.maneratech.com, treasury.maneratech.com, lexiworld.maneratech.com, threatpulse.maneratech.com, fxwatch.maneratech.com, neip.maneratech.com, oracle.maneratech.com, talentintel.maneratech.com, adversarialai.maneratech.com, and the rest of the 25-app portfolio
YESbiditapps.com and the Bidit petal sub-domains (when applicable)

Out of scope — third-party services we use as sub-processors. Report these directly to the vendor:

NOStripe billing infrastructure → stripe.com/contact/security
NOAnthropic / Claude API → anthropic.com/responsible-disclosure-policy
NOCloudflare CDN/DNS/WAF infrastructure → hackerone.com/cloudflare
NOWise banking/treasury → wise.com responsible disclosure
NOGoogle Workspace operational email → google.com/about/appsecurity

Volumetric attacks, social-engineering attacks against Manera staff, and physical-security tests against any of the above third parties are also out of scope.

3. Safe harbor

Researchers acting in good faith will not face legal action from Manera Technologies Inc.

If you make a reasonable, good-faith effort to comply with this policy, we will not initiate or support any legal action against you for your research, including under Canadian Criminal Code §342.1 (unauthorized use of computer), the U.S. Computer Fraud and Abuse Act, or equivalent statutes in your jurisdiction. We will work with you to resolve the issue and credit you publicly if you wish.

What "good faith" means in practice:

Don't access, exfiltrate, or destroy customer data — stop testing the moment you can confirm the issue exists
Don't perform denial-of-service, brute-force, or volumetric attacks
Don't publicly disclose before we've had a reasonable window to fix (default: 90 days from acknowledgement, sooner by mutual agreement)
Don't social-engineer Manera staff, customers, or vendors

4. Bounty program

Manera does not currently offer cash bounties. We're a one-person company in early revenue and we'd rather spend that money on engineering quality than on a marketing-grade bug-bounty program. We do offer:

Public credit on this page and in the affected sub-app's changelog (researcher's choice — credited or anonymous)
A signed acknowledgement letter on Manera Technologies Inc. letterhead
Free Manera Mesh Tier subscription for the calendar year of the report (where applicable)

Establishing a structured cash bounty program is on our roadmap once we cross $1M ARR. We will announce it on this page when it goes live.

5. Compliance posture

In ProgressSOC 2 Type II — controls in place; observation window opens 2026 H2. Type II report expected mid-2027.
RoadmapISO/IEC 27001 — gap-analysis scheduled post-SOC 2; targeting late 2027 certification.
CompliantLoi 25 (Quebec) — Privacy Officer designated, DPIA process in place, breach-notification workflow tested. Data Processing Agreement (DPA) available on request.
CompliantGDPR Article 28 — DPA available; sub-processors disclosed below; EU/CA edge routing via Cloudflare where available; data subject access request (DSAR) workflow live.
CompliantPIPEDA (Canada-federal) — privacy policy at /privacy covers consent, access, correction, retention, and breach notification.
RoadmapHIPAA / HITECH — not currently applicable; will revisit if a covered entity contracts with us under a BAA.

6. Sub-processors

The following third parties process customer data on our behalf. We give 30 days' notice before adding any new sub-processor with access to customer data.

Anthropic

AI inference (Claude) for every Manera Intelligence output. Prompt-cached for cost-governance, ephemeral by default — customer inputs are not used to train Anthropic's models. Per-customer cost governance enforces an 80% margin floor inside our inference path.
Stripe

Subscription billing, payment processing, invoicing. PCI DSS Level 1. Card data never touches Manera servers.
Wise

Multi-currency settlement and treasury operations. Customer data is not shared — Wise sees Manera's own banking activity only.
Cloudflare

DNS, CDN, DDoS protection, Cloudflare Tunnel for sub-app routing. EU/CA edge routing where available.
Google Workspace

Operational email and calendar (sales@, support@, security@, kao@). Customer application data is not stored here.

7. Security practices

80% margin floor enforcement on AI costs. Every Claude call passes through shared/usage_governor.py, which short-circuits with HTTP 402 when a customer's monthly budget is exhausted. Because the floor is engineered into the inference path, we have no commercial incentive to leak data, weaken caching, or downgrade model quality.
SHA-256 audit chains on all outputs. Every IncidentStage event, Oracle prediction, LexiWorld breach-clock document, and NEIP sanctions cascade output is hash-stamped at write-time. Customers can verify provenance and tamper-evidence locally.
Per-customer budget caps. All 25 production apps wrap Claude calls in governed_create(). BudgetExceededException bubbles up as HTTP 402 — never a silent overage.
Paywall enforcement. 28/28 apps in the audited surface use the shared entitlement-gate. No "free for now, charged later" surprise billing.
Single-source legal stack. shared/legal_pages.py renders /terms, /privacy, /disclaimer, /acceptable-use, /data-protection identically across every domain. Updates propagate atomically.
Defensive coding doctrine. Every external integration (Anthropic, Wise, Stripe, Cloudflare, third-party feeds) is wrapped in try/except. If a dependency fails or is mis-configured, the surrounding app degrades gracefully rather than 500-ing.
Read-only API tokens by default. Wise integration uses a read-only token even though we have a write-scope option. We accept the cost (no automated webhook subscription) in exchange for a smaller blast radius.
Transport security. TLS 1.2+ enforced via Cloudflare; HSTS preload on maneratech.com; HTTP downgraded to HTTPS at the edge.
Email auth. SPF + DMARC enforced on maneratech.com; DKIM rollout in progress (Workspace Admin pending). Outbound mail from billing, security, and operational addresses passes alignment.

8. Recent improvements

We publish a public status page and a portfolio-wide changelog summary at /status. Material security improvements are also written up in the affected sub-app's documentation. As of May 2026: 78% prompt-caching coverage across the AI surface, governed inference paths in 25/25 apps, single-source DPA propagation across all domains.

9. `/.well-known/security.txt`

We publish a machine-readable security disclosure pointer at /.well-known/security.txt per RFC 9116. Automated vulnerability-disclosure tooling can use that file to discover the contact channel without parsing this page.

Questions? Reach the founder directly: [email protected]

Manera Technologies Inc. · About · Trust · Privacy · Terms · DPA · security.txt