THIS PAGE IS THE ACTUAL FILE THAT SHIPS IN THE REPOSITORY — PUBLISHED SO YOU CAN JUDGE THE OPERATIONAL COST BEFORE YOU PAY.

Security policy

Reporting a vulnerability

Please report security issues privately — do not open a public issue. Contact @s8kur on Telegram, or use the support channel on your purchase receipt, with:

You'll receive an acknowledgement, and where a fix is warranted, a patched release within the version-1 update window.

Supported versions

Security fixes are published for the current major version (1.x). See CHANGELOG.md for released versions.

Hardening your deployment

Vigil is self-hosted, so you own the deployment surface. The essentials:

What ships hardened by default: security headers, non-root container images, RBAC guards on every mutation, HMAC-signed webhooks, SSRF checks on monitor targets, and a database-checked health endpoint. The full security model is documented in ARCHITECTURE.md.

Automatic recovery — the safety model

Recovery is the one feature that makes an outbound, state-changing request to an address you supply, so it is deliberately the most constrained path in the product:

Reducing the trust surface