StatVault

Security

StatVault protects a public sports encyclopedia, private account surfaces, proprietary Knox intelligence, and source-backed data artifacts. This page explains the security boundary in product language: what is allowed, what is not allowed, and how to report problems responsibly.

Vulnerability reporting

Report suspected vulnerabilities to security@statvault.org. Include the affected URL, reproduction steps, impact, and whether any data was accessed. Do not include secrets, passwords, private user data, or copied proprietary payloads in the report body.

Research rules

  • Use a test account you control.
  • Do not attempt denial-of-service, spam, credential stuffing, or rate-limit bypass.
  • Do not access another user's account, private data, API keys, or receipts.
  • Do not exfiltrate bulk data, model prompts, source ledgers, or Knox internals.
  • Stop immediately and report if you encounter non-public data.

Anti-scraping and data extraction

StatVault pages are built for human readers, search engines, and declared AI agents that respect robots, rate limits, and source attribution. Bulk extraction of raw data artifacts, reverse engineering of Knox scores, automated profile harvesting, or reconstruction of proprietary weights is not permitted without a written agreement.

Public pages may be indexed. API routes, private pages, operator views, raw ledgers, and bulk data exports are not public scraping targets. We use a mix of robots controls, no-index headers, rate limits, CSP reporting, source provenance checks, canaries, and abuse logs to protect these boundaries.

Agent access

AI agents should read /agents.json and /.well-known/llms.txt before crawling. Agents must identify themselves truthfully, honor rate limits, and avoid copying raw datasets or proprietary scoring internals. Signed or partner-grade access may be required for higher-volume use.

Data protection

Profile and leaderboard facts are generated from source-backed artifacts. Source ledgers, trust weights, route-cost logs, operator keys, and Knox calibration data are confidential. Public responses expose enough context to be trustworthy without exposing the machinery needed to clone the product.

Production controls

  • Strict Content Security Policy (CSP) with a report sink.
  • Security headers for browser hardening.
  • Authentication on account, dashboard, and admin surfaces.
  • Rate limits on sensitive ingestion and source-health endpoints.
  • Provenance checks for prospect and source-acquisition data.
  • No-index and no-store headers on API responses.

Last updated 2026-07-01. Security claims must track implemented controls; gaps should remain visible until fixed.