OdyhookSign in

Security

Odyhook is open source and the hosted service is operated by a single individual. We welcome responsible disclosure of security issues.

Reporting a vulnerability

Please report security issues privately— don’t open a public GitHub issue for a vulnerability.

Include enough detail to reproduce: affected endpoint or file, steps, and impact. A machine-readable contact is published at /.well-known/security.txt.

What to expect

Best-effort acknowledgement within 5 days (this is a solo-operated project, so response times aren’t guaranteed), then triage, a fix, and credit with your consent.

Scope

In scope: the hosted service at odyhook.dev and the source code in the repository. Out of scope: denial-of-service / volumetric testing, social engineering, attacks on third-party sub-processors, and automated-scanner output with no demonstrated impact.

Security posture

  • Secrets (signing secrets, destination headers, BYOK LLM provider keys) are encrypted at rest with AES-256-GCM.
  • Outbound delivery is SSRF-protected (scheme/IP checks, resolve-and-pin, manual redirect handling).
  • Inbound HMAC verification is constant-time; request bodies are size-capped.
  • Sentry traces are scrubbed of bodies, cookies, query strings, and sensitive headers before sending.
  • The code is open source and auditable. For the strongest isolation, self-host— your data never touches our infrastructure.

Privacy Policy · Terms of Service · Sub-processors