Security
Odyhook is open source and the hosted service is operated by a single individual. We welcome responsible disclosure of security issues.
Reporting a vulnerability
Please report security issues privately— don’t open a public GitHub issue for a vulnerability.
- Preferred: GitHub private vulnerability reporting.
- Alternative: ngkdev93@gmail.com.
Include enough detail to reproduce: affected endpoint or file, steps, and impact. A machine-readable contact is published at /.well-known/security.txt.
What to expect
Best-effort acknowledgement within 5 days (this is a solo-operated project, so response times aren’t guaranteed), then triage, a fix, and credit with your consent.
Scope
In scope: the hosted service at odyhook.dev and the source code in the repository. Out of scope: denial-of-service / volumetric testing, social engineering, attacks on third-party sub-processors, and automated-scanner output with no demonstrated impact.
Security posture
- Secrets (signing secrets, destination headers, BYOK LLM provider keys) are encrypted at rest with AES-256-GCM.
- Outbound delivery is SSRF-protected (scheme/IP checks, resolve-and-pin, manual redirect handling).
- Inbound HMAC verification is constant-time; request bodies are size-capped.
- Sentry traces are scrubbed of bodies, cookies, query strings, and sensitive headers before sending.
- The code is open source and auditable. For the strongest isolation, self-host— your data never touches our infrastructure.