Security at GitScope
We take the security of your data and your GitHub access seriously. Here is how we protect the platform and what to do if you find a problem.
Our Security Practices
HTTPS Only
All traffic is served exclusively over HTTPS with HSTS enforced. HTTP requests are redirected automatically. We use TLS 1.3 with perfect forward secrecy on all endpoints.
OAuth 2.0 Authentication
We authenticate users via GitHub and Google OAuth 2.0. GitScope never handles or stores passwords for OAuth accounts. Sessions are managed with secure, HTTP-only, SameSite=Strict cookies.
No GitHub Tokens Server-Side
GitHub OAuth access tokens are used only during the active request to query the GitHub API. They are not written to our database. Once your session ends the token is no longer accessible to us.
Encrypted Database
User data is stored in Neon PostgreSQL with AES-256 encryption at rest. Database credentials are rotated regularly, stored in environment secrets, and never shipped in client-side code.
Rate Limiting & Abuse Detection
All API routes are rate-limited at the edge. Repeated failed authentication attempts trigger temporary lockouts. Suspicious patterns are flagged for manual review.
Dependency Scanning
We run automated dependency audits on every pull request using GitHub's Dependabot and npm audit. Critical vulnerabilities block merges until resolved.
What We Store vs. What We Don't
- Your email address and display name
- Your GitHub / Google OAuth provider ID
- Repository metadata: names, star counts, language stats, commit frequency
- Your tracked repository list and dashboard preferences
- Session identifiers (in a secure cookie, not our DB)
- Stripe customer ID and subscription status
- Your source code or file contents
- GitHub OAuth access tokens after the request completes
- Your GitHub or Google password (we never see it)
- Raw payment card numbers (Stripe handles all card data)
- Private repository contents beyond metadata
- Your commit diffs or pull request bodies
Responsible Disclosure
We welcome security researchers who act in good faith to help us keep GitScope safe. If you discover a vulnerability, please disclose it responsibly using the process below rather than exploiting it or publishing it publicly before we have had a chance to address it.
How to Report
- 1Email a description of the vulnerability to security@gitscope.dev. Include the affected URL or endpoint, steps to reproduce, and the potential impact.
- 2Encrypt your report if it contains sensitive details — our PGP public key is available on request.
- 3We will acknowledge receipt within 2 business days and aim to provide an initial assessment within 7 days.
- 4We will keep you informed of our progress and notify you when the issue is resolved.
- 5Please do not access or modify data belonging to other users, and do not perform denial-of-service testing.
Bug Bounty
GitScope does not currently run a formal paid bug bounty programme. However, we genuinely appreciate the time and effort researchers invest in responsible disclosure. Valid vulnerability reports that lead to a security fix will receive public acknowledgement in our Changelog (if desired) and a personal thank-you from the team. We intend to launch a formal bounty programme as the platform matures — we will announce this here and in the changelog when it is live.
In Scope / Out of Scope
In scope
- gitscope.dev and all subdomains
- Authentication and session management flaws
- Authorisation bypass (accessing another user's data)
- Cross-site scripting (XSS) with demonstrated impact
- SQL injection or database exposure
- Sensitive data exposure via API endpoints
Out of scope
- Denial-of-service attacks
- Social engineering of GitScope staff
- Vulnerabilities in third-party services (GitHub, Stripe, Vercel) — report those directly to them
- Missing security headers without demonstrated exploit
- Self-XSS or issues requiring physical device access
- Rate-limit bypass without demonstrated harm