Security

Security is foundational to everything we build at enowX Labs. We design our systems with a defense-in-depth approach, applying multiple layers of protection across our infrastructure, applications, and data handling processes.

This page describes the security measures we implement to protect your data and our platform. We believe transparency about our security practices builds trust and helps our users make informed decisions.

Our Services run on dedicated server infrastructure with strict access controls. Key infrastructure security measures include:

• All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.
• Server access is restricted to authorized personnel through SSH key authentication with multi-factor verification.
• Network traffic is filtered through firewalls with strict ingress and egress rules. Only necessary ports and protocols are exposed.
• Automated security patches are applied to operating systems and dependencies on a regular schedule.
• System logs are collected centrally and monitored for anomalous activity.

Our application layer implements several security mechanisms to protect user data and prevent unauthorized access:

• License Validation. License payloads are signed using ECDSA (Elliptic Curve Digital Signature Algorithm), ensuring that license data cannot be forged or tampered with. Signature verification happens both server-side and within the client application.
• Secret Management. Sensitive configuration values and secrets are encrypted using AES-GCM (Galois/Counter Mode) before storage. Encryption keys are managed separately from the encrypted data.
• Password Hashing. User passwords are hashed using bcrypt with a cost factor that meets current industry recommendations. We never store plaintext passwords.
• Session Tokens. Authentication uses JSON Web Tokens (JWT) with short-lived access tokens and rotating refresh tokens. Access tokens expire within minutes, limiting the window of exposure if a token is compromised.
• Input Validation. All user inputs are validated and sanitized on both client and server sides. Parameterized queries prevent SQL injection, and output encoding prevents cross-site scripting (XSS).

Our licensing system is designed to prevent unauthorized use while remaining transparent to legitimate users:

• HWID Binding. Each license is bound to a specific device through a hardware identifier derived from multiple hardware attributes. The HWID is hashed before transmission, so raw hardware serial numbers never leave your device.
• Heartbeat Verification. Active licenses periodically verify their validity with our servers through encrypted heartbeat requests. This allows us to detect and respond to license abuse in near real-time.
• Signed Payloads. License data transmitted between our servers and client applications is cryptographically signed. The client verifies the signature before accepting any license data, preventing man-in-the-middle attacks and payload tampering.
• Revocation. We maintain a license revocation system that can immediately invalidate compromised or abused licenses across all connected clients.

We apply multiple layers of protection to the data we store and transmit:

• All connections to our Services are encrypted with TLS 1.3. We enforce HTTPS across all endpoints and use HSTS headers to prevent protocol downgrade attacks.
• Database contents are encrypted at rest. Backups are encrypted before storage and retained in geographically separate locations.
• Credentials, API keys, and other sensitive values are stored in encrypted vaults, never in plaintext configuration files or source code.
• Access to production data is restricted on a need-to-know basis and logged for audit purposes.

Our authentication system supports multiple methods and implements safeguards against common attack vectors:

• Email Verification. All accounts created with email and password must verify their email address before gaining full access. Verification tokens are single-use and time-limited.
• OAuth Integration. We support sign-in through Google, GitHub, and Discord using industry-standard OAuth 2.0 flows. We request only the minimum scopes necessary for authentication.
• Session Management. Sessions are tracked server-side with the ability to view and revoke active sessions. Inactive sessions expire automatically. Sensitive account actions (such as password changes or license transfers) require re-authentication.
• Rate Limiting. Login attempts, password reset requests, and API calls are rate-limited to prevent brute-force attacks and abuse.

We take security vulnerabilities seriously and appreciate the efforts of security researchers who help us keep our platform safe. If you discover a vulnerability in our Services, please report it responsibly.

Send your report to security@enowxlabs.com with a detailed description of the vulnerability, steps to reproduce it, and any supporting evidence (screenshots, proof-of-concept code, etc.).

When reporting, please:

• Allow us reasonable time to investigate and address the issue before making any public disclosure.
• Avoid accessing, modifying, or deleting data belonging to other users.
• Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
• Do not use automated scanning tools against our production systems without prior written permission.

While we don't currently operate a formal paid bug bounty program, we value and acknowledge the contributions of security researchers. Researchers who submit valid, previously unreported vulnerabilities will be:

• Credited on our security acknowledgments page (with your permission).
• Provided with a timeline for remediation and notified when the fix is deployed.
• Considered for discretionary rewards based on the severity and impact of the reported vulnerability.

We ask that researchers act in good faith and follow our responsible disclosure guidelines. Reports submitted in good faith will not result in legal action against the researcher.

For security-related inquiries or to report a vulnerability:

enowX Labs
Semarang, Indonesia
Email: security@enowxlabs.com

For urgent security matters, include "URGENT" in your email subject line. We aim to acknowledge all security reports within 24 hours.