VibeDiligence
SECURITY — VIBEDILIGENCE

Security VibeDiligence

Last updated: March 19, 2026 — EFFECTIVE DATE: MARCH 2026

VibeDiligence is a product that audits code for security issues. We hold our own infrastructure and practices to the same standards we recommend. This page describes our security posture honestly — including what we do, what we do not do, and where we rely on third parties.

Responsible Disclosure

If you discover a potential security vulnerability in VibeDiligence, please report it to us privately before disclosing it publicly.

Contact:support@vibediligence.com
Subject line:[SECURITY] Brief description

What to include in your report:

  • A clear description of the potential vulnerability
  • Steps to reproduce or demonstrate the issue
  • The URL, endpoint, or component affected
  • Your assessment of the potential impact
  • Any relevant screenshots, payloads, or logs

What to expect:

  • We will acknowledge receipt of your report within 72 hours
  • We will investigate and provide a status update within 10 business days
  • We will notify you when the issue is resolved (if it is confirmed and fixed)

Our commitment: We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, who do not access, modify, exfiltrate, or destroy data beyond what is minimally necessary to demonstrate the issue, and who give us reasonable time to respond before any public disclosure.

We do not operate a paid bug bounty programme at this time. We will acknowledge researchers publicly with their permission if a valid vulnerability is reported and addressed.

Out of scope: Reports relating to our third-party service providers (Paddle, OpenAI, Supabase, Vercel, GitHub) should be directed to those organisations directly.

Data Protection

Encryption in Transit

All communication between your browser and VibeDiligence is encrypted using HTTPS with TLS 1.2 or higher. We do not support unencrypted HTTP — all HTTP requests are redirected to HTTPS automatically. All communication between our server-side application and third-party APIs (OpenAI, GitHub, Supabase, Paddle, Resend) uses HTTPS.

Encryption at Rest

Data stored in our Supabase-managed database is encrypted at rest using AES-256, managed by the underlying AWS infrastructure.

Repository Data

We apply the following practices to repository content:

  • We only analyse public repositories. We do not use GitHub OAuth and do not request access to private repositories.
  • We fetch selectively. Only files matching audit-relevant patterns (authentication, API routes, database schema, configuration files) are fetched — not every file in the repository.
  • Content is processed in memory. Fetched file contents are transmitted to OpenAI's API for analysis and are not intentionally written to persistent storage.
  • Structured results only are stored. Our database stores audit scores, findings, and recommendations — not raw source code.
  • We cannot control OpenAI's data practices. Content sent to OpenAI's API is subject to OpenAI's own data usage and retention policies. Refer to OpenAI's privacy policy at openai.com/policies for details.

We strongly recommend that you do not submit repositories containing unrevoked secrets, production credentials, or sensitive personal data. If your repository contains secrets, rotate them before submitting. VibeDiligence is not liable for the consequences of secrets that exist in your repository and are transmitted as part of the audit process.

Payment Security

We do not handle, process, or store payment card data. All payment processing is handled exclusively by Paddle, which is PCI-DSS Level 1 compliant — the highest level of payment industry security certification.

  • Your card number, expiry, CVV, and bank details never reach our servers
  • We receive only a payment confirmation event (via webhook) and your email address after a successful transaction
  • All payment webhooks from Paddle are verified using HMAC-SHA256 signature verification with constant-time comparison before any processing occurs

Infrastructure Security

Hosting and Compute

VibeDiligence runs on Vercel, providing automatic HTTPS, network-level DDoS protection, and isolated serverless function execution with no persistent state between requests.

Database

Managed by Supabase with Row Level Security (RLS) enabled. All application access uses a server-side service role key; anonymous keys have no privileges on data tables.

Secret Management

All sensitive credentials are stored as encrypted environment variables in Vercel. They are never committed to version control, exposed to the client, or logged.

Application Security

Input Validation

All user-submitted data is validated on the server using Zod schemas. GitHub URLs, dropdown selections, and audit IDs are strictly validated against regex and allowlists.

SSRF Prevention

GitHub URLs are never fetched directly. They are parsed via regex to construct API endpoints, and every blob URL is verified to belong to the GitHub API domain before fetching.

Prompt Injection Defence

Code content is wrapped in XML delimiters. The system prompt instructs the AI to ignore instructions in the code. AI output is validated against a strict JSON schema.

Rate Limiting

Enforced 5 audits per IP/hour and 30 PDF downloads per IP/hour. Oversized request bodies are rejected before parsing to prevent resource exhaustion.

HTTP Security Headers

HeaderConfiguration
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload
X-Frame-OptionsDENY
X-Content-Type-Optionsnosniff
Referrer-Policystrict-origin-when-cross-origin
Permissions-Policycamera=(), microphone=(), geolocation=()
Content-Security-PolicyRestricted to known sources only (Mitigates XSS and injection)

The Content Security Policy restricts network requests from the browser to only: our own domain, GitHub API, OpenAI API, and Supabase — no other external connections are permitted.

What We Do Not Do

We do not store your source code or repository file contents
We do not access private GitHub repositories
We do not use your code or audit results to train AI models
We do not log your repository file contents or audit findings to our server logs
We do not store, log, or have access to your payment card details
We do not use your data for advertising or sell it to third parties
We do not retain data beyond the periods described in our Privacy Policy

Limitations and Honest Disclosures

We believe in being transparent about what our security measures cannot guarantee:

  • No system is completely secure.Despite our measures, we cannot guarantee that VibeDiligence is immune to all security threats, breaches, or attacks.

  • Third-party security is outside our direct control.We rely on Paddle, OpenAI, Supabase, Vercel, and GitHub. Their security postures affect our overall security. We select reputable providers but cannot independently audit them.

  • AI analysis is probabilistic.The AI component may miss vulnerabilities, produce incorrect findings, or behave unexpectedly. Audit reports are not a security guarantee.

  • Code content reaches OpenAI.Selected file contents from your repository are transmitted to OpenAI's API. OpenAI's data handling is governed by their own policies.

Reporting a Vulnerability

Email:support@vibediligence.com
Subject:[SECURITY] Brief description of the issue

We appreciate the security research community and will handle all reports professionally and confidentially.

Security Contact

Questions regarding our security infrastructure? contact: