Security
Reporting a vulnerability
If you find a security issue, please email [email protected] with reproduction steps. We aim to acknowledge within 48 hours and fix or coordinate disclosure within 30 days for critical issues.
Machine-readable: /.well-known/security.txt
Safe harbor
We will not pursue legal action against researchers who:
- Give us a reasonable opportunity to fix before public disclosure
- Don't exfiltrate data beyond what's necessary to demonstrate impact
- Don't degrade service availability for other users
- Test only against accounts they own
In scope
inqrable.com,*.inqrable.com,inqr.io- The public API (
api.inqrable.com) - Our MCP server
Out of scope
- Self-XSS that requires user-controlled scripts
- Issues already publicly disclosed in upstream dependencies
- Email spoofing of unauth'd providers
- Rate-limit findings — those are intentionally tunable
What we run
End-to-end TLS via Cloudflare, Caddy auto-renewing Let's Encrypt certs, payload encryption at rest (AES-256-GCM), Argon2id password hashing where applicable, OAuth tokens encrypted at rest, hardened sshd (key-only, no root, /29-only ingress), ufw + fail2ban, auditd, automated dependency upgrades via Dependabot + weekly pnpm audit, gitleaks + Semgrep on every PR.