The security of our platform and our customers' infrastructure is our
highest priority. We welcome responsible security research and will
acknowledge your contributions.
Report a Vulnerability
If you believe you've found a security vulnerability in Iddio, please
report it responsibly. Do not disclose the vulnerability publicly
until we've had a chance to address it.
security@iddio.dev
For encrypted communications, our PGP key is available at
iddio.dev/.well-known/security.txt
Response Timeline
24 hours
We acknowledge receipt of your report and assign a tracking identifier.
72 hours
We provide an initial assessment of severity and expected resolution timeline.
90 days
Maximum disclosure window. We aim to resolve critical issues well within this period.
Scope
- The Iddio command proxy (open-source and managed)
- The Iddio policy engine and audit system
- The iddio.dev web application and API
- Authentication and authorization mechanisms
- Audit log completeness and reliability
Safe Harbor
We consider security research conducted in accordance with this
policy to be authorized. We will not pursue legal action against
researchers who report vulnerabilities responsibly.
Security Posture
- Transparent TLS MITM proxy — your data never leaves your machine (local-first, self-hosted)
- ECDSA CA with per-session leaf certs generated locally; all credential files are 0600/0700
- Fail-closed by default — unknown commands, unknown CLIs, and errors escalate rather than pass
- Four-tier risk classification (observe / modify / sensitive / break-glass) enforced on every request
- Blocking human approval for sensitive operations via desktop app or CLI — no request proceeds without it
- Append-only JSONL audit log of every proxied request (best-effort; NOT tamper-evident or hash-chained)
- Mandatory code review for all changes to the open-source proxy and policy engine