6-Layer Database Security

Philosophy: Assume every layer fails. A full breach should yield nothing useful.

Layer 1 — Minimize What's Worth Stealing

• Findings encrypted with hunter's public key — DB dump = useless ciphertext
• Decryption keys NEVER in the same DB — separate KMS (AWS KMS / Hashicorp Vault)
• Unique derived key per finding — cracking one ≠ cracking all

Layer 2 — Make the DB Unreachable

• DB in private VPC subnet, no public internet access
• Only API server can talk to it (security group allowlist)
• No SSH to DB server. Bastion host with MFA + session recording only.
• Separate DB credentials per service — compromising one doesn't give you everything

Layer 3 — Make the API Hard to Exploit

• Zero raw SQL — ORM with parameterized queries only (no injection possible)
• Rate limiting on all endpoints
• API keys scoped per role — sponsor tokens can't query finding content
• Input validation on everything. Trust nothing.

Layer 4 — Assume They Get In Anyway

• Hash store is SEPARATE service, SEPARATE infra — main DB breach doesn't touch it
• All DB access audit-logged to separate immutable log (can't cover tracks)
• Finding hashes anchored on Solana — delete entire DB, chain proof survives
• Automated anomaly detection — unusual query patterns trigger alerts
• DB snapshots every hour to isolated cold storage (air-gapped backups)

Layer 5 — Limit Blast Radius

• Encryption key rotation quarterly
• Hunter PII in completely separate DB from findings
• Zero long-lived credentials — short-lived tokens only

Layer 6 — Human Controls

• Two-person rule for any production DB access
• No single employee can access encrypted findings + decryption keys
• Penetration testing quarterly (using Prowl's own agents)
• Bug bounty on Prowl's own platform (meta-security)

Bottom Line

Full DB breach = encrypted blobs with keys they don't have + hash proofs they can't delete because they're on Solana.