Security

1. Our posture

DepScope is designed to expose public package metadata. We do not ingest customer source code, secrets, or production data. This keeps our attack surface narrow and our blast radius predictable.

2. Infrastructure

• Primary hosting on Cuttalo-operated infrastructure in the EU.
• Cloudflare in front of all public endpoints: TLS termination, WAF, DDoS mitigation, bot scoring.
• Application and database on a private internal network.
• PostgreSQL 17 + Redis caching; writes go to a single primary.
• Off-site encrypted backups on OVHcloud (Gravelines, FR), 90-day rolling retention.

3. Authentication and access control

• Magic-link authentication — no passwords are ever stored.
• API keys are generated with cryptographic randomness, stored as SHA-256 hashes only. We cannot recover a lost key.
• Administrative access to the production database and hosts is limited to Cuttalo staff, SSH key–only, over VPN.

4. Data in transit and at rest

• All public traffic served over TLS 1.2+.
• Backups encrypted at rest with keys held separately from the storage provider.
• Secrets and API credentials held in dedicated files, chmod 600, outside webroot, never in environment variables that could leak via logs.

5. Monitoring and incident response

• Automated alerts every 6 hours for disk, RAM, CPU, DB, PM2.
• Hourly disk-usage monitor and preprocess health checks.
• Incident response: triage within 24 hours, remediation coordinated by Cuttalo, affected users notified without undue delay and in any case within 72 hours for personal-data breaches (art. 33 GDPR).

6. Supply chain

We dogfood DepScope internally: the service itself is audited through DepScope before dependencies are upgraded. CI runs on pinned versions; lockfiles are reviewed manually.

7. Reporting a vulnerability

Please follow our responsible disclosure policy and email [email protected] before publicly sharing findings. We do not run a paid bug bounty, but we credit researchers in the project hall of fame on request.