Security Model
Tenant isolation, upload security, rate limiting, and audit retention — the security guarantees Vulnios provides.
1Tenant Isolation Model
Every data document in Firestore is scoped to an orgId. Firestore security rules enforce org membership at the database layer — not just in application code.
- All reads/writes require org membership verified by rules.
- MSP delegated access is explicitly limited — cannot access /orgBilling of customer.
- Platform admin has superuser access via custom claim.
- Worker access is gated by isWorker JWT claim and lease ownership.
- Every callable function also enforces membership in addition to rules.
2Upload Security
All uploaded files are stored in private Cloud Storage buckets under org-scoped paths. No public buckets. No public URLs for raw scan inputs.
Storage rules
- Signed upload URL issued per scan, single-use with expiry.
- File path must match orgs/{orgId}/scans/{scanId}/inputs/* pattern.
- Workers access outputs path only for their assigned scan job.
- Download URLs are signed, time-limited, and issued via callable function.
Workers upload only scan results and selected artifacts. Raw disk contents are never exfiltrated unless the org explicitly opts in to a local-agent full-capture mode.
3Rate Limiting and Abuse Prevention
Sensitive callable functions enforce per-user or per-org rate limits to prevent abuse:
Rate limit counters are stored in Firestore under /rateLimits and cleanup runs on a schedule.
4Audit Logging and Retention
All privileged and sensitive actions write structured audit log entries with a correlation ID. Audit logs are append-only — update and delete are denied by Firestore rules.
- Fields: actorUid, action, orgId, targetType, targetId, before, after, severity, correlationId, timestamp.
- Platform admins can export audit logs for compliance workflows.
- Logs older than the retention period are subject to scheduled cleanup (configurable).
- Data deletion requests follow a two-step process: request + scheduled deletion job.