Security

Security

Report vulnerabilities privately, use the built-in security controls, and keep the self-hosted boundary on your own infrastructure.

Maintained by Wraxle LLC
Last updated
Public repo github.com/urgentry/urgentry

Security posture in one pass

  • Data boundary. Self-hosted data stays on your infrastructure. urgentry does not phone home for product telemetry.
  • Authentication boundary. Web sessions, API tokens, and optional OIDC/SSO are the supported auth surfaces.
  • Disclosure path. The private reporting policy is published here and mirrored at /.well-known/security.txt.

Reporting vulnerabilities

If you discover a security vulnerability, do not open a public issue. Use GitHub's private vulnerability reporting for the repository first. If that path is unavailable, contact security@urgentry.com privately with the details.

We aim to acknowledge reports quickly, assess impact, work on a fix, and publish a coordinated advisory when the fix is ready.

Security artifacts

  • Policy location. /security/ and /.well-known/security.txt carry the same reporting path.
  • Public verification. Fixes, release notes, and docs updates land through the public repo and release flow.
  • Operational checks. The urgentry self-hosted security-report command is the current self-hosted posture snapshot.

Built-in security features

  • SSRF protection. Outbound HTTP requests validate targets against private IP ranges.
  • Rate limiting. Fixed-window rate limiting on authentication and API endpoints.
  • CSRF protection. Double-submit cookie pattern on all state-changing web requests.
  • Request body limits. Configurable max body size on all ingest and API endpoints.
  • Data scrubbing. Configurable PII scrubbing for credit cards, emails, IP addresses.
  • Authentication. Session-based web auth, API token auth, and optional OIDC/SSO.
  • Audit logging. Operator action audit trail for self-hosted deployments.

Self-hosted security

When self-hosted, all data stays on your infrastructure. urgentry does not phone home, collect telemetry, or send data to any external service. You control the network, storage, and access policies entirely.

The urgentry self-hosted security-report command generates an on-demand security posture report covering secrets, TLS configuration, and database access patterns.