Privacy & security model

Defense in depth

We use a defense-in-depth approach to security: no single control is treated as sufficient on its own. Layers include network edge protection, application access controls, encryption, human moderation before anything reaches the public feed, and continuous monitoring. Each layer is designed so that a failure in one place does not automatically expose sensitive community data.

No system can be guaranteed 100% secure. We are honest about that limit. What we can commit to is making a successful breach far less useful to an attacker: account emails, phone numbers, and passwords are encrypted at rest with keys held separately from application data, and public alert pins only publish after moderation.

Edge protection & monitoring

Traffic to ICE Around passes through an updated Web Application Firewall (WAF) that filters common attack patterns, abusive bots, and protocol-level abuse before requests reach our application. The WAF is maintained as threats evolve—not deployed once and forgotten.

Application and infrastructure events are forwarded to a Security Information and Event Management (SIEM) platform. Access attempts, authentication events, administrative actions, rate-limit triggers, and other security-relevant signals are logged and correlated. Alerts are generated in real time so our team can investigate suspicious activity as it happens, not days later. Full SIEM integration and on-call alerting workflows are being finalized; this page will be updated as those controls go live.

Public vs private

• Public feed: approved alert pins, confidence levels, safety guidance
• Private vault: reporter identity, private evidence, moderator notes
• Alerts remain public unless removed through moderation or operations