Skip to content
postato

Security

Last updated: 2026-04-08

This page describes how Postato protects customer data and how security researchers can responsibly report vulnerabilities. Postato is in active development. As the platform evolves, this page will be updated to reflect changes in practices and scope.

1. Overview

Postato is a mediated carrier between you and the social networks you connect. Postato never holds the credentials (login and password) of those networks and never generates content on your behalf. The security model is built around three goals: keep your authorization tokens safe, keep workspaces strictly isolated, and make every delivery auditable.

2. How we protect your data

The protections below are implemented in the production codebase, not aspirations.

  • Encryption in transit. All interactions with the REST API, the MCP server, and the web dashboard use HTTPS (TLS).
  • Encryption at rest. OAuth tokens of connected social networks and outbound webhook secrets are stored encrypted with AES-256-GCM.
  • Hashed credentials. API keys, OAuth access tokens, OAuth refresh tokens, and user passwords are stored only as one-way hashes (SHA-256 or equivalent). The plain value of an API key is shown to you exactly once, at creation, and cannot be recovered later.
  • Workspace isolation. Data belonging to one workspace is not accessible to another workspace by construction. Every database query is scoped to a tenant identifier.
  • SSRF protection. Outbound requests for media URLs are validated before fetching. Requests directed at private network ranges (RFC 1918), the AWS instance metadata service (169.254.0.0/16), and non-HTTPS URLs are blocked at the entry point.
  • Webhook signing. Every outbound webhook delivery is signed with HMAC-SHA256, using a per-tenant secret, and includes a timestamp to prevent replay. Receivers should verify the signature before processing the event.
  • Idempotency. Submissions that include an Idempotency-Key header cannot produce duplicate publications on retry, even across reconnections.

3. Authentication

Postato accepts three authentication modes, each scoped to its use case:

  • API keys in the format smcp_*, transmitted via the Authorization: Bearer header. Used by REST clients and MCP clients that prefer key-based access.
  • Web sessions for the dashboard, managed via HttpOnly cookies.
  • MCP OAuth 2.0 with PKCE (S256), supporting Dynamic Client Registration (RFC 7591). Used by MCP-aware AI agents that prefer a delegated authorization flow.

Tokens issued through any of these flows are stored hashed and can be revoked at any time.

4. Operational security

  • Service health is continuously monitored and incidents are tracked on the public status page.
  • Internal access to production infrastructure follows the principle of least privilege.
  • Application dependencies are reviewed before adoption and updated in response to disclosed vulnerabilities.
  • Submissions are validated at the API entry point. Malformed payloads, unsupported media formats, or values outside the technical limits of the destination platform are rejected before reaching the queue.

5. Reporting a vulnerability

If you believe you have found a security vulnerability in Postato, we want to hear from you.

How to report. Send the details to legal@postato.com.br with [SECURITY] in the subject line.

What to include.

  • A clear description of the issue and its potential impact
  • Step-by-step instructions to reproduce
  • Any proof-of-concept code, screenshots, or HTTP requests that help us reproduce
  • Your name and contact information, if you wish to be acknowledged

What to expect.

  • We confirm receipt within 2 business days
  • We provide an initial assessment within 7 business days
  • We keep you informed of the progress until the issue is resolved
  • We coordinate the disclosure timing with you

Coordinated disclosure window. We follow a 90-day coordinated disclosure window. Postato commits to remediate or to provide a clear timeline within 90 days from your initial report. After that window, you are free to disclose publicly.

6. Safe harbor

Postato will not pursue legal action against security researchers who report vulnerabilities in good faith, within the scope defined below, and following the rules of engagement.

In scope.

  • Production systems on *.postato.com.br
  • The Postato REST API
  • The Postato MCP server
  • The Postato web dashboard

Out of scope.

  • Denial-of-service attacks of any kind
  • Social engineering targeting employees, contractors, or users
  • Physical attacks against any infrastructure
  • Reports of vulnerabilities in third-party dependencies that are already publicly known and have a published advisory
  • Findings that require physical access to a victim's device
  • Reports based solely on missing security headers, automated scanner output, or lack of SPF/DKIM/DMARC, unless a concrete impact is demonstrated

Rules of engagement.

  • Do not access, modify, or destroy data that does not belong to you
  • Do not exfiltrate more data than is strictly necessary to demonstrate the issue
  • Do not disrupt the service or degrade the experience of other users
  • Do not disclose the vulnerability publicly before Postato has had a reasonable opportunity to fix it, within the 90-day window
  • Comply with applicable law

Researchers who follow these rules and report in good faith will be considered authorized for the purpose of these tests, and Postato will not initiate or support any complaint against them.

7. Acknowledgments

This section will be populated as researchers responsibly report vulnerabilities. Reporters are listed only with their explicit permission.

8. Bug bounty

Postato does not operate a paid bug bounty program at this time. During early access, public acknowledgment (with your permission) is the only form of recognition available. This may change once Postato exits early access. Any future paid program will be announced on this page.

9. Changes to this page

This page may be updated. The "Last updated" date at the top reflects the most recent version. Material changes to the disclosure process will be communicated on the status page and through this page.

10. Contact

For security reports and questions about this policy: legal@postato.com.br