Security
Last updated: July 11, 2026
Source code: VibeLint scans run locally by default. The dashboard receives metadata and summaries, not raw source files.
Does VibeLint upload my source code?
No raw source files are uploaded by the scanner. The Pro dashboard sync endpoint stores scan metadata: project label, filename, language, issue counts, detector type, severity, line number, description, fix hint, source, and timestamps. That data is visible in scan history and security score features.
Agent action and permission endpoints are different: they store redacted input, output, and metadata JSON when you send agent events to VibeLint. Redaction is key-name based for fields such as tokens, passwords, cookies, secrets, and API keys, plus length/depth truncation. If you put raw code in a non-sensitive JSON field, VibeLint stores the text you sent.
What data is stored?
- Account email, Clerk user ID, plan, and Dodo customer/subscription IDs.
- SHA-256 hashes and short prefixes for license keys and agent API keys.
- Scan summaries, issue metadata, project labels, and CLI activity logs.
- Agent identities, action logs, permission policies, decisions, and approvals.
- Support requests, dashboard feedback, and transactional email state.
Data retention and deletion controls
VibeLint has self-service deletion for scan history and CLI logs. It does not yet have a self-service retention dial, JSON/CSV export button, or account-wide delete button in the dashboard.
| Data | Current control |
|---|---|
| Scan history | Delete all scans from /dashboard/scans, or delete scans for one project. Linked scan issues are deleted with the scan. |
| Projects | Delete a project from /dashboard/projects. This removes scan records for that project, not CLI logs. |
| CLI logs | Delete all logs from /dashboard/logs, or delete logs for one project. This does not delete scan history. |
| Agent action logs | View and filter in /dashboard/action-logs. No self-service delete or export endpoint is implemented yet. |
| Permission decisions and approvals | Stored for policy history and approval state. No self-service delete or export endpoint is implemented yet. |
There is no per-user retention-period setting in this checkout today. Records are kept until you delete records that have dashboard controls, close the account through support, or we remove them as part of maintenance. The suggested 7-day, 90-day, and 1-year retention tiers are not implemented in the current schema or API routes. A Builder plan is also not present in the current account schema.
If you need an export or account deletion, email hi@vibelint.dev from the account email before deleting records. App-side records tied to the account are designed to cascade when the account row is removed, but billing records may need to be retained by Dodo Payments, and authentication records must be handled through Clerk.
Transport and storage
The public app and API run on Vercel at vibelint.dev and use HTTPS/TLS. Application data is stored in Supabase Postgres. The database migrations in this repo enable row-level security and deny direct anonymous access to user data tables; reads and writes go through server-side API routes using the Supabase service role key.
Supabase provides encryption at rest for stored data. The Supabase region is not declared in this repository, so this page does not claim a region. If region matters for your compliance review, ask support for the current production region before sending regulated data. Production access is limited to the operator and the infrastructure consoles needed to run the service.
Subprocessors
VibeLint does not sell data or share it for advertising. It uses:
- Clerk for authentication and session management.
- Supabase for the application database.
- Vercel for hosting, API runtime, cron, request logs, and analytics.
- Dodo Payments for subscription checkout, billing, and customer portal access.
- Resend for transactional email such as weekly digests and payment notices.
Incident response
If we confirm a breach that affects user data, we will notify affected users by email with what happened, what data was involved, what we did, and what users should do next. When law requires a deadline, we follow that deadline. Otherwise, the target is notice within 72 hours of confirming user data was affected.
Report a vulnerability
Email hi@vibelint.dev with the affected property and version, a clear impact statement, reproducible steps or a minimal proof of concept, and suggested remediation if known. Remove tokens, personal data, source code, and unrelated customer data from screenshots and logs before sending them.
In-scope properties
vibelint.dev, its dashboard, and first-party API routes.- The VibeLint Free and Pro Python packages, CLI, MCP server, installer, and updater.
- First-party VibeLint release artifacts and package-download flows.
Vulnerabilities solely in Clerk, Supabase, Vercel, Dodo Payments, Resend, Upstash, or another provider should be reported to that provider unless VibeLint has misconfigured or insecurely integrated the service.
Safe harbor and testing boundaries
We will treat good-faith research that follows this policy as authorized and will not pursue legal action for accidental, limited violations made while attempting to comply. Stop and report immediately if you encounter personal data, credentials, private source code, or another customer's data.
- Do not destroy, alter, download, retain, or publicly disclose data you do not own.
- Do not use denial-of-service, high-volume automation, spam, social engineering, phishing, malware, or physical attacks.
- Do not establish persistence, pivot into provider infrastructure, or access additional accounts after proving the issue.
- Use your own account and the minimum requests and data needed to demonstrate impact.
Response and coordinated disclosure
We target acknowledgement within 72 hours and a substantive status update within seven calendar days. Resolution time depends on severity and complexity; we will share progress at reasonable intervals when a report is accepted. Please keep the report confidential until we confirm a fix or agree on a disclosure date. We will credit researchers who request it unless legal, privacy, or safety constraints prevent attribution.