Security at Oubliette

We build security software, so our own posture is the first product demo. This page is the honest version — what we do, and what we don't claim.

Vulnerability disclosure

Found a vulnerability in any Oubliette package, this website, or the demo? We want it.

• Email security@oubliettesecurity.com — or use GitHub private vulnerability reporting on the relevant repo.
• Acknowledgment within 2 business days; triage verdict within 7.
• Fixes for confirmed critical/high issues are prioritized over feature work — typically released within 14 days.
• Safe harbor: good-faith research within scope (no data destruction, no privacy violations, no service disruption) will never result in legal action from us.
• Credit offered in release notes unless you prefer anonymity. No bounty program yet — we're honest about being small.

Machine-readable: /.well-known/security.txt

Data handling

• Your prompts and logs never reach us. Shield, Dungeon, Trap, and Warden run entirely in your environment — there is no telemetry, no call-home, no usage phone-home in any package.
• Air-gapped deployment is a supported, tested configuration, not an afterthought.
• This website collects only what the contact form sends us. The live demo processes submitted prompts transiently and stores detection metadata only.

Release integrity

• All packages publish to PyPI from maintainer-controlled accounts with 2FA enforced.
• 3,700+ automated tests run in public CI on every change to the public repos.
• Dependencies monitored continuously (Dependabot); security bumps are same-week.

Compliance posture

• NIST SP 800-171 self-assessment maintained; CMMC Level 2 (self) posture for federal work under DFARS 252.204-7012/7019/7020.
• SDVOSB (SBA VetCert) · CAGE 19AK6 · SAM.gov registered.
• SOC 2 is on the roadmap, gated on team growth — we won't claim it before we have it.