Security Policy
Last updated: March 17, 2026
Found a vulnerability in VibeLint? Email us at support@vibelint.dev. We respond within 72 hours and will not take legal action against good-faith researchers.
1. Our Commitment
VibeLint is a security tool — we hold ourselves to a higher standard when it comes to the security of our own product. We are committed to:
- Responding to all security reports within 72 hours
- Keeping you informed of our progress throughout the investigation
- Crediting researchers who responsibly disclose vulnerabilities (with your permission)
- Not pursuing legal action against researchers who act in good faith
- Fixing confirmed vulnerabilities within 30 days of confirmation for critical issues
2. How to Report a Vulnerability
Please report security vulnerabilities by email to support@vibelint.dev.
Include as much of the following as possible:
- Description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept (PoC)
- VibeLint version affected (CLI version, if applicable)
- Any relevant logs, screenshots, or request/response samples
- Your suggested severity level (Critical / High / Medium / Low)
Please do not report security vulnerabilities through public GitHub issues, social media, or any other public channel.
3. Scope
In scope
- vibelint.dev web application — authentication bypass, authorization issues, injection vulnerabilities, license key exposure, dashboard data leakage
- API endpoints —
/api/validate-license, webhook handlers, and all other API routes - VibeLint Pro CLI — license key handling, config file security, network communication with the dashboard
- VibeLint OSS CLI — any vulnerability in the open-source scanner itself
- Supabase database — row-level security bypass, data exposure through misconfigured policies
Out of scope
- Vulnerabilities in third-party services we use (Clerk, Dodo, Supabase, Vercel) — report those directly to those vendors
- Denial-of-service attacks
- Social engineering attacks against VibeLint staff
- Physical security
- Vulnerabilities requiring physical access to a user's device
- Issues in outdated or unsupported versions of the CLI
4. Response Timeline
| Milestone | Target time |
|---|---|
| Initial acknowledgement | Within 72 hours |
| Severity assessment and triage | Within 7 days |
| Fix for Critical severity | Within 7 days of confirmation |
| Fix for High severity | Within 14 days of confirmation |
| Fix for Medium/Low severity | Within 30 days of confirmation |
| Public disclosure (coordinated) | After fix is deployed, by mutual agreement |
5. Safe Harbor
We consider security research conducted in accordance with this policy to be authorized. We will not initiate legal action against researchers who:
- Report the vulnerability to us before any public disclosure
- Avoid accessing, modifying, or deleting user data beyond what is needed to demonstrate the vulnerability
- Do not exploit the vulnerability beyond confirming its existence
- Do not perform denial-of-service attacks or spam
- Act in good faith throughout the disclosure process
If you follow these guidelines, we commit to working with you to understand and address the issue, and we will not pursue civil or criminal action related to your research.
6. Our Security Practices
In the interest of transparency, here is how we approach security in VibeLint:
- License keys: Only SHA-256 hashes are stored — the plain key never touches our servers after it is shown to the user once
- Database: Row-level security (RLS) is enabled on all tables; no anon access to user data
- API: All sensitive endpoints require authentication via Clerk session or license key validation
- Payments: Card data is handled entirely by Dodo Payments — we never see card numbers
- Transport: All communication is over HTTPS/TLS
- Webhooks: All incoming webhooks are verified using cryptographic signatures before processing
- CLI config file: License keys stored in
~/.vibelint/configare set tochmod 600(owner read/write only)
7. Contact
Security reports: support@vibelint.dev
General support: support@vibelint.dev