Security & privacy
Trust isn't a page. It's the architecture.
How we handle your code, your data, and your money.
Code is read, never run
VibeGuard performs static analysis only. We never execute your project code, never install your dependencies, never run your scripts.
Isolated, ephemeral processing
Uploads extract into an isolated temporary directory per scan. Compression ratio, file count, and per-file size guards reject malformed archives and zip bombs before extraction completes.
Secrets are masked
API keys, tokens, and private keys we detect are masked in reports and never stored in full. Findings show only enough context to locate the issue.
Raw code auto-deleted
Uploaded ZIPs and cloned repos are deleted after report delivery according to the configured retention window. Reports themselves auto-expire after the configured retention period.
Pull requests for review only
VibeGuard creates a security-fix branch and opens a pull request. We never push to main, never auto-merge, never deploy. Review is always your decision.
Row-level security on user data
Every user-data table enforces row-level security. You can only access your own projects, scans, reports, and quotes. Cross-user access is impossible at the database layer.
Webhook signatures verified
Payment webhooks are verified against signed signatures from our payment provider. Replays are deduplicated by event ID. Unverified events are rejected before reaching any handler.
Honest disclaimers
We don't claim our review is exhaustive. VibeGuard identifies common and high-risk issues to reduce launch risk. We do not guarantee an application is vulnerability-free.
Responsible-use commitment
VibeGuard is a defensive product. It is built to review codebases owned by the user or explicitly authorized by the user. We do not perform offensive exploitation, unauthorized scanning of external targets, credential abuse, malware generation, or attacks. Every scan and every pull request requires an explicit authorization checkbox stored in our audit log.
The cheapest time to fix security is before launch.
Run a free scan in under two minutes. See your launch-readiness score, top risks, and dynamic audit options instantly.
No credit card required for the free scan. Paid quotes generated only after the scan completes.