Security
Last updated: May 9, 2026
Security is central to what DepKeep does. We help engineering teams manage vulnerabilities in their open source stack — so we hold ourselves to the same standard we hold our work.
If you believe you've found a security vulnerability in our website, infrastructure, or any software we maintain, please tell us. We take every report seriously.
Report a vulnerability
Email
security@depkeep.com with details of the issue.
You may encrypt your report using our PGP key — contact us for the public key.
Responsible Disclosure Policy
We follow a coordinated disclosure model. When you report a vulnerability to us, we ask that you:
- Give us reasonable time to investigate and fix the issue before disclosing it publicly
- Avoid accessing, modifying, or deleting data that does not belong to you
- Do not perform denial-of-service attacks, spam, or social engineering against our team or customers
- Provide enough detail for us to reproduce the issue
In return, we commit to:
- Acknowledging your report within 2 business days
- Keeping you informed as we investigate and remediate
- Not pursuing legal action against researchers acting in good faith under this policy
- Crediting you in our disclosure (if you wish) once the issue is resolved
Response Timeline
Day 1–2
Acknowledgement of your report and assignment to an engineer.
Day 3–7
Initial triage, severity assessment, and confirmation of the issue.
Day 7–30
Patch development, testing, and deployment. Complex issues may take longer — we will keep you updated.
Post-fix
Coordinated public disclosure (if applicable) and credit to the reporter.
Scope
This policy covers:
- depkeep.com and any subdomains we operate
- Our customer portal and API (when available)
- Patches and tooling we produce and distribute to customers
Out of scope:
- Third-party services or open source projects we do not control
- Issues requiring physical access to our infrastructure
- Social engineering or phishing attacks against our staff
- Theoretical vulnerabilities without a working proof of concept
Our Security Practices
- All data in transit is encrypted via TLS 1.2 or higher
- Access to production systems is restricted by role and requires MFA
- We conduct internal security reviews before shipping customer-facing changes
- Customer data is isolated per-account and never used for training or analytics
- We monitor our infrastructure for anomalous activity around the clock
Contact
For security issues: security@depkeep.com
For general enquiries: hello@depkeep.com