RepoShield
security

Security policy

We're a security product. We hold ourselves to the standard we expect of the repos we audit. The full text of our policy lives in SECURITY.md. The summary below covers the parts most people need.

Reporting a vulnerability

Email security@shieldrepo.com with reproduction steps. Please don't open a public GitHub issue for security problems — coordinate with us first so we can ship a fix before the issue becomes a weapon.

  • Acknowledgement within 72 hours.
  • Triage and severity assessment within 7 days.
  • Fix or mitigation timeline within 14 days.
  • Coordinated disclosure no earlier than 90 days unless we agree on a different schedule with you.
  • Public credit on disclosure if you want it; anonymity if you don't.

We don't run a paid bug bounty yet. We will recognize good-faith research publicly and will gladly write a recommendation.

Scope

in scope
  • The hosted application at shieldrepo.com and any subdomain.
  • The shieldrepo npm package.
  • The hosted REST API (/api/v1/*).
  • The GitHub App in our marketplace integration.
  • Source code in this repository: auth flows, API routes, scanner internals.
out of scope
  • Third-party services we depend on (Supabase, Cloudflare, GitHub, npm) — report those upstream.
  • Findings from automated scanners without a working PoC.
  • Theoretical attacks without demonstrated impact.
  • Social engineering of RepoShield staff.
  • Issues in repos we audit — those are between you and the repo owner.

Safe harbor

We will not pursue legal action for good-faith security research that (a) accesses no more user data than is strictly necessary to demonstrate a vulnerability, (b) doesn't modify or destroy user data, (c) doesn't degrade service availability beyond a brief proof of concept, and (d) gives us reasonable time to respond before public disclosure.

Our own security posture

  • API keys are stored as SHA-256 hashes. The plaintext is shown to you once at creation and never persisted.
  • Service-role database keys are scoped to server-only route handlers and never reach the browser.
  • GitHub App private keys live in Cloudflare Workers secrets, not in the repo.
  • HSTS, CSP, X-Frame-Options: DENY, strict Referrer-Policy, and minimal Permissions-Policy are set on every response.
  • Outbound fetches from the worker are blocked from RFC1918, loopback, link-local, and *.internalhosts (Cloudflare's global_fetch_strictly_public flag plus an explicit allowlist on scan endpoints).
  • All API routes return a consistent error envelope { error: { code, message, requestId } } so users can quote a request ID when reporting issues.

What we don't cover yet

We don't currently offer enterprise SSO, audit logs, SOC 2 compliance, or BAA contracts. Those are on the post-launch roadmap. Email founder@shieldrepo.com if you need any of these on a specific timeline.

→ methodology→ privacy→ SECURITY.md (full text)