Protocol // Defense Posture

Security

We publish research about systems that fail. Ours isn't one of them.

TLS Everywhere

All connections encrypted via HTTPS/TLS 1.3. No mixed content. No exceptions. HSTS enforced.

PCI DSS Level 1

Payments handled by Stripe — the highest level of PCI compliance. Card data never reaches our servers.

Secure Downloads

Document links are time-limited, single-use tokens. Expired links cannot be reused or guessed.

Encrypted Storage

Documents stored with server-side encryption (AES-256). Data at rest is protected at the infrastructure level.

Authentication

Passwordless magic-link authentication. No passwords to leak, no credentials to brute-force.

Infrastructure

Hosted on hardened cloud infrastructure with automated security patches and network-level DDoS protection.

Responsible Disclosure

If you discover a security vulnerability, we want to hear about it. Email us at contact@pdfunderground.com with subject line [SECURITY].

›Describe the vulnerability with reproduction steps

›Allow reasonable time for us to patch before disclosure

›Do not access or modify other users' data

›We do not pursue legal action against good-faith researchers

What We Don't Do

We don't store passwords (we use passwordless auth). We don't log IP addresses. We don't run analytics that could identify you. We don't use third-party scripts that could compromise your session. Your reading habits are your business.

Threat Level: Mitigated — Last Audit: Q1 2025