VibeGuard AI

Trust

How we protect your code

You're trusting us with your source. Here's exactly how we handle it.

Your source code is never stored

To scan a repository we clone it into an isolated, ephemeral environment, run the scanners, and delete the clone immediately afterward. We do not keep a copy of your source. Only the findings, file paths, and the specific code snippets needed to explain an issue are persisted.

Least-privilege access

Repository access is granted through a GitHub App that requests only the permissions it needs — read access to code and metadata, and write access to open pull requests with fixes. Access tokens are short-lived, minted per operation, and never logged or stored.

Website scans require ownership

Before any website scan runs, ownership must be verified (DNS record, meta tag, or file upload). We only perform passive checks and never run intrusive or exploitative testing against a target.

Data in transit and at rest

All traffic to and from the Service is encrypted with TLS. Findings and account data are stored in a managed database with access restricted to the Service.

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in VibeGuard AI itself, please email security@vibeguard.ai with the details and steps to reproduce. Please give us a reasonable opportunity to address the issue before any public disclosure, and avoid accessing or modifying other users' data during your testing.

Questions

For any security or compliance question, reach us at security@vibeguard.ai.