Security — Saneops

Saneops security posture: self-hosted by default, encrypted secrets, RS256 license signing, audit log.

Saneops is proprietary software. We take security reports seriously and welcome coordinated disclosure from researchers and customers.

Reporting a vulnerability

Email: security@saneops.in
Response SLA: we acknowledge receipt within 2 business days.

Please include:

A clear description of the issue
Steps to reproduce
The affected version (commit hash, Docker image tag, or release tag)
Your assessment of severity and impact
Any proof-of-concept code or screenshots (please do not include real customer data)

If the issue is sensitive, mark the email subject with [CONFIDENTIAL]. We will provide a PGP key on request; we do not currently publish one.

What NOT to do

Do not file a public GitHub issue for security bugs.
Do not test against production systems you do not own.
Do not run automated scanners against our hosted service without prior written permission.
Do not exfiltrate customer data under any circumstances.

Scope

In scope: - The Saneops codebase - Official Docker images and binary releases - The hosted service at app.saneops.in and the marketing site at saneops.in - First-party documentation that could mislead users into insecure configurations

Out of scope: - Third-party dependencies (please report to those upstream maintainers) - Social engineering of Saneops employees - Physical attacks on Saneops infrastructure - Issues requiring a privileged user to take an additional unusual action (e.g. self-XSS) - Denial-of-service via brute-force volume that doesn't bypass our rate limits

Bug bounty

We don't currently have a public bounty program. Reporters of valid issues will be credited (with their consent) in our release notes and on our security page. We're happy to discuss compensation case-by-case for high-severity findings.

Our commitments

When you report responsibly:

We will acknowledge within 2 business days.
We will keep you updated on progress at least every 14 days.
We will not pursue legal action against good-faith research that follows this policy.
We will credit you publicly when the fix ships, unless you prefer to remain anonymous.

Hardening posture

The current security posture is summarised below and visible at runtime to admins at /admin/security on any deployment.

Compliance status (transparent): Saneops is not currently SOC 2, ISO 27001, HIPAA, or PCI-DSS certified. We are early-stage and operate a beta service. Card payments (when enabled in Q3 2026) will be processed entirely by Stripe; we never see card numbers and do not store cardholder data. We process personal data in line with the EU/UK GDPR and India's DPDP Act 2023 — see our Privacy Policy and Data Processing Addendum (DPA available on request).

Highlights: - bcrypt passwords; minimum 10-char policy with class diversity - CSRF (double-submit cookie) on all UI mutations - Per-IP sliding-window rate limits on auth + webhooks - 5-failed-login soft-lock for 15 minutes - AES-128-CBC + HMAC-SHA256 (Fernet) for secrets at rest - Comprehensive security headers (CSP, HSTS, X-Frame-Options, etc.) - Run-log redaction for any param matching token | secret | password | apikey | webhook_url | authorization - 5 MiB cap on inbound webhook bodies - Tenant isolation at every query