Security

We dogfood in public.

Every scan Hardenator runs on customer code runs on ephemeral infrastructure — clone, scan, delete, all within 5 minutes. We never store your source.

Our posture:

  • Read-only GitHub App by default. Write access is opt-in per repo (required only if you want auto-fix PRs).
  • Scans run in isolated containers. Your code is cloned, scanned, findings are stored, code is deleted. Retention: < 5 minutes per scan.
  • API keys and secrets are never logged. Not even truncated. Not even in error paths.
  • Every admin action is audit-logged.
  • If we ever get breached, we disclose publicly the same day.

Coming soon on this page:

  • Monthly self-audit report — Hardenator scanned by Hardenator. Every finding, every fix, public.
  • Public bug bounty — $500–$2,500 rewards via HackerOne. Launching Week 2.
  • SOC 2 Type I report — targeting Month 6.

Found something that looks off? security@hardenator.com. We respond within 24 hours.

Join the waitlist →