Security
Report vulnerabilities privately, use the built-in security controls, and keep the self-hosted boundary on your own infrastructure.
Security posture in one pass
- Data boundary. Self-hosted data stays on your infrastructure. urgentry does not phone home for product telemetry.
- Authentication boundary. Web sessions, API tokens, and optional OIDC/SSO are the supported auth surfaces.
- Disclosure path. The private reporting policy is published here and mirrored at /.well-known/security.txt.
Reporting vulnerabilities
If you discover a security vulnerability, do not open a public issue. Use GitHub's private vulnerability reporting for the repository first. If that path is unavailable, contact security@urgentry.com privately with the details.
We aim to acknowledge reports quickly, assess impact, work on a fix, and publish a coordinated advisory when the fix is ready.
What to expect
| Question | Current answer |
|---|---|
| Initial response | Use the private reporting path first. We aim to acknowledge reports quickly. |
| Supported release line | Security fixes should be assumed for the current main branch and the latest tagged Tiny-mode release. |
| Public advisory path | Fixes, release notes, and docs updates land through the public repo and release flow. Coordinated advisories are published when the fix is ready. |
| Where to follow up | security@urgentry.com and the repository’s private vulnerability reporting path. |
Security artifacts
- Policy location. /security/ and /.well-known/security.txt carry the same reporting path.
- Public verification. Fixes, release notes, and docs updates land through the public repo and release flow.
- Operational checks. The urgentry self-hosted security-report command is the current self-hosted posture snapshot.
Built-in security features
- SSRF protection. Outbound HTTP requests validate targets against private IP ranges.
- Rate limiting. Fixed-window rate limiting on authentication and API endpoints.
- CSRF protection. Double-submit cookie pattern on all state-changing web requests.
- Request body limits. Configurable max body size on all ingest and API endpoints.
- Data scrubbing. Configurable PII scrubbing for credit cards, emails, IP addresses.
- Authentication. Session-based web auth, API token auth, and optional OIDC/SSO.
- Audit logging. Operator action audit trail for self-hosted deployments.
Self-hosted security
When self-hosted, all data stays on your infrastructure. urgentry does not phone home, collect telemetry, or send data to any external service. You control the network, storage, and access policies entirely.
The urgentry self-hosted security-report command generates an on-demand security posture report covering secrets, TLS configuration, and database access patterns.