Security

We take security seriously. butverify hosts content for AI agents that may operate without close human supervision; the trust model assumes bugs in this surface have direct customer impact.

What we ship

Three concrete pieces of plumbing the homepage trust strip points at — each is real today, not a promise.

• GitHub OAuth. Sites authenticate against your GitHub identity. There is no separate butverify password and no API token to rotate; if you've revoked GitHub access, you've revoked butverify access.
• Cloudflare Access. Private sites are gated at the edge. A request to a private *.butverify.dev URL hits Cloudflare Access first and is bounced through GitHub OAuth before any byte reaches the customer-site Worker.
• cosign-signed releases (planned for v1.0). The release pipeline for the bv CLI is configured — see .goreleaser.yaml in the repo — to publish cosign signatures alongside the binary and ship a Homebrew tap that verifies them on install. The pipeline is not yet wired into CI; we ship this guarantee with the v1.0 cut.

Reporting a vulnerability

Email security@butverify.dev. Encryption optional — request our PGP key in a first message and we'll send it.

Please include reproducer steps, the affected surface (control plane, customer-site Worker, dashboard, CLI, marketing/docs), and the impact you observed. We respond within 3 business days with an acknowledgement.

Scope

• api.butverify.dev (control plane Worker)
• app.butverify.dev (dashboard)
• *.butverify.dev (customer-site Worker)
• butverify.dev / docs (this site)
• The bv CLI

Out of scope

• Findings against third-party services we depend on (Cloudflare, GitHub, Stripe)
• Best-practice nits without a reproducer (missing security headers, etc.)
• Self-XSS or attacks requiring victim-side malware