Security

Overview

Security is a process, not a checkbox. We design for least privilege, encrypt data in transit on our websites using HTTPS, and apply sensible defaults in the systems we operate. Details vary by product; this page describes our public commitment and how to reach the right inbox.

Data in transit

rumblebuilt.com and our configured forms are intended to be served over TLS (HTTPS). Do not submit sensitive information on pages that fail certificate validation or that you accessed over plain HTTP in production.

HTTP security headers

On production hosting (for example Vercel), HTML responses from this site are configured to send common browser protections. The exact set may evolve; as deployed they include:

• Strict-Transport-Security (HSTS) — tells supporting browsers to use HTTPS for future visits.
• X-Content-Type-Options: nosniff — reduces MIME-type confusion attacks.
• X-Frame-Options: DENY — discourages embedding this site in frames (clickjacking risk).
• Referrer-Policy — limits what referrer information is sent on cross-origin requests.
• Permissions-Policy — disables sensitive browser features we do not use on these pages (for example camera and microphone by default).
• Content-Security-Policy (CSP) — restricts where scripts, styles, fonts, images, and form posts may load from; inline scripts and styles on these pages require a narrow unsafe-inline allowance. Third-party assist or intake tools that call arbitrary HTTPS APIs need connect-src allowances consistent with your deployment.

If a legitimate integration is blocked in your environment, adjust CSP in your deployment config (for example vercel.json) rather than disabling headers globally without review.

Subprocessors & infrastructure

Like most teams, we use hosted services (for example, form delivery, DNS, and deployment). Those vendors process data under their own agreements; see our Privacy page for how we describe data flows on this site, and rely on your product-specific agreements for production apps.

Report a vulnerability

If you believe you have found a security issue in rumblebuilt.com properties or a Rumble Built–operated product, email security@rumblebuilt.com with a concise description, affected URLs or endpoints, reproduction steps, and (if relevant) a non-destructive proof of concept. We aim to acknowledge receipt within a few business days. Please give us reasonable time to remediate before public disclosure.

Do not access or exfiltrate user data, degrade service, or perform physical or social attacks. If you are unsure whether testing is authorized, ask first via the same address.

Product support

Account lockouts, billing, and general troubleshooting are handled through Support, not the security inbox. Use the security address only for vulnerability reports and coordinated disclosure.

Vendor reviews & questionnaires

For qualified engagements, we can complete vendor security questionnaires and provide insurance certificates through your procurement process. Start the thread via Contact (Signal) and mention procurement so we route your request. This page stays high-level; specifics are handled under NDA or statement of work as appropriate.

Related

Privacy  ·  Terms of use  ·  How engagements work