Security policy

Report issues privately. Review our current controls plainly.

This page explains how to report vulnerabilities, what data Skylos Cloud may process, and which compliance claims Skylos does not make today.

Email securitysecurity.txtTrust Center

Local-first scanning

The open-source scanner can be used locally or in CI. Skylos Cloud receives scan data only when a user or workflow uploads a report, triggers a cloud action, or uses the public scan endpoint.

Cloud upload data

Uploaded reports may include findings, severity, rule IDs, file paths, line numbers, snippets, upload attribution, scan metadata, and optional provenance or defense evidence.

Credential handling

Project API keys are stored as hashes. Dashboard users with rotate:keys permission can issue secondary rotation keys and revoke stale secondary keys.

Managed infrastructure

Skylos Cloud runs on Vercel and Supabase. GitHub, Lemon Squeezy, OpenAI, Slack, and Discord are used only for the related configured or user-triggered workflows.

Retention defaults

Plan capabilities currently set scan history retention at 7 days for Free, 90 days for Workspace, and 365 days for Enterprise.

Compliance status

Skylos does not currently claim SOC 2, ISO 27001, or CSA STAR certification. Current work is focused on transparent controls and audit readiness.

Coordinated disclosure scope

  • Skylos public website and authenticated Cloud application
  • Skylos API routes, dashboard routes, report upload flows, and public scan endpoint
  • Authentication, authorization, billing, project API key, and GitHub OIDC paths

Out of scope

  • Social engineering, spam, physical attacks, or denial-of-service testing against production
  • Reports that require access to another customer's account, data, repository, or credentials
  • Automated high-volume scanning without prior written approval
  • Findings already documented on the public roadmap or trust page as not yet implemented

How reports are handled

Skylos is small, so the right disclosure process is direct and low-friction. The goal is fast private reproduction without creating risk for other customers.

Send reports privately to aaron@skylos.dev with enough detail to reproduce the issue.
Use the minimum data and minimum account access necessary to demonstrate the issue.
Do not access, modify, delete, or disclose another customer's data.
We aim to acknowledge security reports within 2 business days and provide an initial triage update within 5 business days.
We do not operate a paid bug bounty program today.

Buyer security review

For customer security reviews, use the Trust Center. It includes a code-vetted control checklist, current provider list, data handling notes, and explicit SOC 2, ISO 27001, and CSA STAR status.