Security

LadderStar uses Firebase Authentication for supported sign-in paths. Users are responsible for protecting their email, identity provider accounts, devices, and active sessions.

Firestore rules and server routes separate client-owned data from server-owned operational records. Admin and owner authorization must be verified server-side. Wallet balances, wallet transactions, role changes, status changes, and audit logs are designed to be server-owned.

Production secrets belong in deployment environment settings and must not be committed. Firebase private keys require runtime newline handling. Vercel hosts the application and may provide analytics and performance tooling.

Report suspected vulnerabilities, unauthorized access, exposed secrets, account takeover risk, or platform abuse to legal@ladderstar.com. Include steps to reproduce, affected URLs, screenshots or logs where safe, and your contact information.

This page describes current practices at a high level. It does not claim a particular certification, audit, compliance framework, uptime guarantee, or complete immunity from security incidents.