Trust
How we protect your code
Your source code is never stored
To scan a repository we clone it into an isolated, ephemeral environment, run the scanners, and delete the clone immediately afterward. We do not keep a copy of your source. Only the findings, file paths, and the specific code snippets needed to explain an issue are persisted.
Least-privilege access
Repository access is granted through a GitHub App that requests only the permissions it needs — read access to code and metadata, and write access to open pull requests with fixes. Access tokens are short-lived, minted per operation, and never logged or stored.
Website scans require ownership
Before any website scan runs, ownership must be verified (DNS record, meta tag, or file upload). We only perform passive checks and never run intrusive or exploitative testing against a target.
Data in transit and at rest
All traffic to and from the Service is encrypted with TLS. Findings and account data are stored in a managed database with access restricted to the Service.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability in VibeGuard AI itself, please email security@vibeguard.ai with the details and steps to reproduce. Please give us a reasonable opportunity to address the issue before any public disclosure, and avoid accessing or modifying other users' data during your testing.
Questions
For any security or compliance question, reach us at security@vibeguard.ai.