Security at CoalHost

Your data,
handled with care.

We're a small operation and we treat security accordingly: fewer moving parts, EU data residency, and a direct line to a human when you find something we missed.

What we do

The baseline controls. None of these are novel — but a lot of hosts skip the boring half of the list, and that's usually where breaches start.

EU data residency (Helsinki)

All customer data and game servers run in Hetzner's Helsinki datacenter. Backups stay in the EU. GDPR-compliant by construction — no cross-Atlantic transfers for storage.

HTTPS-only everywhere

Every public page is served over TLS. The control panel, the marketing site, and the customer dashboard. Plain-HTTP redirects to HTTPS at the edge.

bcrypt password hashing

Account passwords are stored as bcrypt hashes, not plaintext and not reversible. We can't see your password — we can only verify it.

Stripe-handled payments

Card numbers go directly to Stripe. We never see, store, or process raw card data — Stripe is PCI-DSS Level 1 certified and handles 3D Secure and SEPA.

Per-customer VM isolation

Your game server runs on its own Hetzner Cloud VM. No shared OS process, no noisy neighbour, no other customer reaching your world files.

Off-site backups (optional)

When OFFSITE_BACKUP_PROVIDER is configured (S3 or SFTP), daily backups replicate off the primary datacenter so a regional outage can't destroy your world.

Encrypted secrets storage

Sensitive values (API tokens, SSH keys, RCON passwords) are encrypted at rest with AES-256-GCM using a 32-byte SECRET_ENCRYPTION_KEY — never written plaintext to the database.

.well-known/security.txt

RFC 9116-compliant disclosure file at /.well-known/security.txt so researchers and automated scanners can find the right contact channel without guessing.

Responsible disclosure

Found a security issue? Tell us.

We'd much rather hear about a vulnerability from you than from an incident report. Email us privately, give us a reasonable window to fix it, and we'll credit you publicly when the patch ships.

Contact

[email protected]

Initial response

Within 24 hours (business hours, EU time)

Fix SLA

90 days for high/critical severity; longer disclosed deadlines for low-severity issues

Bug bounty

No cash bounty yet — we're too small. We credit researchers publicly and will revisit when revenue allows.

Hall of fame

Researchers who've responsibly disclosed issues will be listed here. None yet — be the first.

  • (No reports yet.)

Scope

What we can act on directly, and what belongs upstream.

In scope

  • coalhosting.com domain and all subdomains we operate
  • The mcpanel control panel and dashboard
  • Customer-facing API endpoints
  • Authentication, billing, and account-management flows
  • Game-server provisioning and lifecycle code paths

Out of scope

  • Third-party services we depend on (Stripe, Hetzner, Cloudflare, Anthropic) — report directly to them
  • User-installed mods, plugins, or world data uploaded by customers
  • Social-engineering attempts against staff or other customers
  • Denial-of-service / volumetric attacks
  • Issues already disclosed publicly without a fix in place

Standards we follow

  • RFC 9116 security.txt. Published at /.well-known/security.txt so researchers can find the right contact without hunting.
  • Annual third-party audit (planned 2026). No external audit has been performed yet. We'll publish the scope and findings here once the first one is complete — including anything we had to fix.
  • HSTS preload (planned). HTTPS is already enforced at the edge. HSTS preload submission is on the security roadmap once we've validated every subdomain serves TLS correctly.
  • GDPR. EU-based operator, EU datacenter, EU storage. Customer data export and deletion are available on request and honoured within statutory timelines.

Start a secure server from €2 / GB

EU datacenter, isolated VM, encrypted secrets, daily backups. Two-minute deploy.

Start a secure server

Reporting an issue? [email protected]. General support: [email protected].