Security
Last updated: March 2026
Our Practices
- All data in transit is protected by TLS/HTTPS
- API keys are stored in hashed form; OAuth credentials are encrypted at rest
- Infrastructure access is restricted by least-privilege IAM policies
- Server logs are retained for 30 days for security and debugging
- Dependencies are monitored for known vulnerabilities
Reporting a Vulnerability
If you believe you have found a security vulnerability in Open Context, please report it responsibly. We ask that you:
- Email your findings to security@opnctx.ai
- Include a clear description of the issue and steps to reproduce it
- Give us reasonable time to investigate and remediate before public disclosure
- Do not access, modify, or delete data belonging to other users
Response Commitment
- We will acknowledge receipt of your report within 3 business days
- We will investigate and provide a status update within 10 business days
- We will notify you when the issue has been resolved
- We will credit reporters who responsibly disclose valid issues (if desired)
We currently do not offer a paid bug bounty program. We are grateful for the time researchers invest in improving the security of the Service.
Scope
In scope:
- opnctx.ai and api.opnctx.ai
- mcp.opnctx.ai
- The Open Context Chrome extension
Out of scope:
- Denial of service attacks
- Social engineering of Open Context staff
- Physical security
- Vulnerabilities in third-party services we use
Contact
Security disclosures: security@opnctx.ai
Machine-readable policy: /.well-known/security.txt