/security

Release signing

Every audr release is signed via cosign (sigstore keyless mode). The transparency log entry is publicly verifiable. The install script verifies the signature when cosign is on PATH; otherwise it falls back to SHA-256 verification.

# audr release-signing key (cosign / sigstore)
# Fingerprint will be published here once v0.4 lands. Until then verify via
# the keyless signature attached to each GitHub Release.

security.txt

The canonical machine-readable security contact lives at /.well-known/security.txt per RFC 9116.

Vulnerability disclosure

Email harsh@saasalerts.com with reproduction steps and (where possible) a proof-of-concept. We aim to acknowledge in 24 hours and ship a fix before public disclosure when the issue affects shipped audr versions. Coordinated disclosure is welcome; do not exploit beyond what is needed to demonstrate the issue.

Privacy

audr.dev does not run third-party analytics. No Google Analytics. No Segment. No advertising networks. The page makes no third-party network requests.

The audr install script sends one inferable signal: when invoked from audr.dev, the user-agent of the tarball download contains from=audr.dev so we can attribute the install funnel. Disable it with AUDR_NO_REFERRER=1.

Browser support

Last 2 versions of Chrome, Safari, Firefox, Edge. Safari 14+ minimum (WASM). The dev path (curl … | sh) works regardless of browser.