Security

Security software should be
held to its own standard.

XDRagon Monitor watches your network, so its own security matters more than most software’s. This page covers two things: how to report a vulnerability to us, and how the platform itself is built and verified.

800+
Automated Tests
SLSA
Signed Provenance
100%
Open Source Code
Responsible Disclosure.

Found a vulnerability?

We want to hear about it — directly and privately, before anyone else does. Security reports get taken seriously, whoever they come from.

1
Report it privately
Email the details to contact@t-secops.io. Include what you found, how to reproduce it, and the version or commit you tested against. Please do not open a public GitHub issue for security problems.
2
We confirm receipt
You will get an acknowledgement that your report has arrived and is being looked at — you are never left wondering whether it landed.
3
We keep you in the loop
We keep you informed as the report is investigated and fixed, and we coordinate with you on disclosure once a fix is available.
The canonical policy

The authoritative version of our disclosure policy lives with the code: SECURITY.md in the XDRagon Monitor GitHub repository. If this page and that file ever differ, the repository wins.

Because the project is open source under Apache 2.0, you can audit every line you are reporting against — and verify the fix when it ships.

Security as Design.

How XDRagon Monitor is built and verified

The short version of how the platform protects itself. The full engineering detail lives on the For Engineers page.

Verifiable releases
Every release ships with SLSA build provenance, keyless-signed via Sigstore. Anyone can cryptographically verify that the artifact they run was built from the public source.
Tested like a target
The platform runs its own DAST scanner against every build, and a CI authorization gate checks every API route for missing authentication before code can merge. Backed by 800+ automated tests.
Secrets encrypted at rest
API keys, integration tokens, and firewall credentials are encrypted in the database rather than sitting in plaintext config files — and masked in every API response.
MFA & modern token architecture
Offline TOTP multi-factor authentication, short-lived in-memory access tokens with rotating httpOnly refresh cookies, and replay detection that revokes a token family if a stolen token is reused.
Self-hosted by design
The platform runs entirely on your infrastructure and functions fully offline. There is no cloud backend to breach, and no path for your security telemetry to leave your network.
Open to inspection
XDRagon Monitor is open source under Apache 2.0. The authentication code, the crypto, the API surface — all of it is public and auditable, which is exactly how we want it reviewed.

Something to report — or verify?

Send vulnerability reports to contact@t-secops.io, or head to the repository to read the canonical SECURITY.md and audit the code yourself.