Legal

Security

Security practices and responsible disclosure for ConnLog.

Last updated: June 2, 2026

1. Security contact

Please report vulnerabilities, abuse, or security concerns to [email protected].

2. Vulnerability disclosure policy

We appreciate responsible disclosure. Please include enough detail to reproduce the issue, avoid accessing data that is not yours, and give us a reasonable opportunity to investigate before public disclosure.

Please do not perform destructive testing, social engineering, spam, denial-of-service, physical attacks, or access/modify/delete data that is not yours. Do not test against production in ways that could affect availability, billing, alert delivery, other customers, or data integrity without prior written permission.

3. Platform security measures

  • Encryption in transit for browser, API, and agent traffic.
  • Password hashing and session-based authentication.
  • OAuth login support for configured providers.
  • Workspace isolation and role-based access controls.
  • Audit logs, security events, and administrative audit trails.
  • Least-privilege access expectations for operational access.
  • Secrets management for application secrets, tokens, and provider credentials.
  • Agent authentication using per-agent/workspace secrets and machine identity checks where supported.
  • Rate limiting and abuse detection on sensitive endpoints.
  • Backups and incident response processes, with exact retention still to be confirmed.
  • Secure development practices, review, dependency maintenance, and production configuration checks.

4. Customer security responsibilities

  • Install agents only on systems you own, control, or are authorized to manage.
  • Protect passwords, OAuth accounts, sessions, reset links, API credentials, and agent tokens.
  • Rotate credentials immediately after suspected compromise.
  • Limit workspace admins and review invitations, teams, roles, and collective email recipients.
  • Configure alert rules, cooldowns, recipients, and Quick Actions carefully and test them regularly.
  • Avoid storing secrets in monitor names, notes, tags, URLs, labels, ticket messages, or action output.
  • Register only Quick Actions you understand and can safely run on the target system.

5. Limits and no guarantee

ConnLog is designed to support secure operation, but no system can be perfectly secure. ConnLog does not replace your own security operations, backups, incident response, disaster recovery, access management, or business continuity planning.