PULSE · Security

Security at PULSE

Last updated · June 2026

This page describes what is true today — not a roadmap. Where something is still in progress (like code signing), it says so.

The website

This site is built to be boring to attack:

  • Strict Content-Security-Policy — public pages run under a default-deny policy: no inline scripts, no inline styles, no inline event handlers. Pages with sign-in functionality run their own per-path policy that is still locked to our own origins.
  • Zero third-party origins — every script, style, font, and image loads from this domain. There are no third-party tags, CDNs, or trackers for an attacker to compromise upstream.
  • HTTPS everywhere — with HSTS preload, so browsers refuse to ever load the site over plain HTTP.
  • Hardened headers — frame-ancestors 'none' (no clickjacking), nosniff, cross-origin isolation (COOP/COEP/CORP), and a locked-down Permissions-Policy.
  • Violation reporting — every policy reports violations to an endpoint we operate, so a regression surfaces to us, not just to your console.

Verifying your download

Every release publishes its SHA-256 hash on the download page and at /api/version.json, so you can verify that the installer you received is byte-for-byte the one we built. The in-app updater performs the same check automatically — it verifies the SHA-256 of every update against the published value before installing it.

Being straight with you: installers are currently unsigned while we obtain an EV code-signing certificate, so Windows SmartScreen may warn on first run. The warning is about the missing signature, not about anything PULSE does. Until signing lands, the published SHA-256 is the integrity chain — verify it if you have any doubt. We also submit each release to Microsoft and the major antivirus vendors so heuristic warnings clear over time.

The app's security model

  • No kernel driver, ever — PULSE is a user-space app. It never loads a kernel driver, which removes the entire class of driver-level vulnerabilities that has plagued tuning tools, and is the reason it stays friendly to antivirus and anti-cheat software.
  • Never touches game processes — no injection, no memory reading, no hooks. PULSE tunes the system layer underneath your games, which is why it is compatible with EAC, BattlEye, Vanguard, and VAC.
  • Administrator rights, transparently — system tweaks need elevation, requested through the standard Windows UAC prompt. PULSE does not bypass or weaken UAC.
  • Reversibility ledger — before PULSE changes any setting, the original value is recorded in a local snapshot. Every optimization has a working revert, one click restores everything, and the uninstaller reverses system changes as it removes the app. A change that cannot be undone does not ship.
  • Hardware-clamped tuning — overclocking values are clamped to limits the hardware itself reports, and GPU offsets are volatile: a reboot resets them, so a bad setting never sticks.

Secrets on your device

  • Auth session — stored in the Windows Credential Manager, protected by Windows DPAPI under your user account; not a plain file.
  • License cache — encrypted at rest (AES-GCM) and signature-checked (Ed25519), so it cannot be read or forged by editing a file.
  • Device fingerprint — the raw hardware identifiers never leave your machine; only an irreversible SHA-256 hash is transmitted for device-slot enforcement.
  • No payment data — card details go directly to Paddle, our Merchant of Record. They never touch our servers or your PULSE installation.

Accounts & infrastructure

  • Transport — every connection the app or site makes uses HTTPS/TLS. There are no plaintext endpoints.
  • Passwords — authentication is handled by Supabase Auth; passwords are stored only as salted hashes and we never see them.
  • Least-privilege admin — administrative surfaces are restricted to a server-side allowlist and protected with TOTP two-factor authentication. Roles are checked on the server on every request, never trusted from the client.
  • Vendors — the full list of infrastructure providers, with their roles and data-processing agreements, is on the Compliance page.

Telemetry & crash reporting

  • Crash reporting is opt-in — off by default. If you enable it in Settings → Privacy, scrubbed stack traces go to Sentry; error text is cleaned of personal data before sending.
  • Product analytics are anonymous — keyed by a random, resettable install identifier, never your account or hardware. On by default, one switch turns it off.
  • This website — counts page views first-party with no cookies; see the Cookie Policy. The full data story is in the Privacy Policy.

Responsible disclosure

If you find a vulnerability in the site, the API, or the app, please tell us privately before publishing. Our machine-readable disclosure contact and scope live at /.well-known/security.txt (RFC 9116).

  • In scope: this website, the PULSE API worker, and the desktop installer/app
  • Out of scope: third-party services (report Paddle/Supabase/Cloudflare/Resend issues to those vendors), attacks requiring physical access to an unlocked machine, and social engineering
  • Disclosure reports are read first — you will typically hear back from us within a few days
  • We do not currently run a paid bounty program; we publicly credit researchers (or keep you anonymous, your choice) once a fix has shipped

Contact

Security reports and questions: [email protected] — or see all the ways to reach us on the contact page.

Related: Privacy Policy · Compliance · Download