GitPort dashboardGitPort Dashboard →

Security Policy

Security Policy

Last updated: June 2026

This Security Policy explains how GitPort ("we", "us", or "our") approaches the security of GitPort ("Service"), and how to report a suspected vulnerability to us.

1. Our Approach to Security

Because GitPort connects to your Git provider accounts and stores data drawn from your repositories, pull requests, issues, and notifications, we treat the security of that data as core to the Service rather than an afterthought. Measures we apply include:

  • Encryption of OAuth tokens and other sensitive fields at rest;
  • Encryption of data in transit using TLS;
  • Storage of data on servers located within the European Union;
  • Access controls restricting internal access to user data on a need-to-know basis;
  • Logging and monitoring of access to production systems;
  • Use of the minimum OAuth permission scopes necessary for the Service to function, wherever a connected provider supports scoped access;
  • Operating within the API terms and developer policies of each Git provider we integrate with, including GitHub's API Terms of Service and Developer Agreement and GitLab's Terms of Use and API Terms of Use.

Further detail on how we collect, store, and protect personal data is set out in our Privacy Policy.

2. Reporting a Vulnerability

If you believe you have found a security vulnerability in GitPort, we want to hear from you. Please report it to us via our support centre with the following information, where available:

  • A description of the vulnerability and its potential impact;
  • Step-by-step instructions to reproduce the issue;
  • Any proof-of-concept code, screenshots, or logs that support your report;
  • The URL, endpoint, or component affected.

We aim to acknowledge reports as soon as we're able, typically within a few business days, and to keep you informed of our progress as we investigate and remediate confirmed issues. As a small, independently-run project, response times may vary, particularly outside of normal working hours.

3. Scope

This policy covers the GitPort web application, API, and supporting infrastructure that we directly operate. It does not cover:

  • Vulnerabilities in third-party Git providers (such as GitHub or GitLab) themselves — these should be reported directly to the relevant provider's own security team;
  • Vulnerabilities in third-party services we rely on for infrastructure, where those services maintain their own disclosure programs;
  • Issues that require physical access to a user's device, or that rely on a user's device already being compromised;
  • Social engineering, phishing, or denial-of-service attacks against our infrastructure or personnel.

4. Guidelines for Researchers

When investigating a suspected vulnerability, please:

  • Avoid accessing, modifying, or deleting data belonging to other users beyond what is strictly necessary to demonstrate the issue;
  • Avoid actions that could degrade the availability or performance of the Service for other users, including automated scanning at volume;
  • Give us a reasonable opportunity to investigate and remediate an issue before disclosing it publicly;
  • Only test against your own GitPort account and connected provider accounts that you are authorised to use for testing.

We will not pursue legal action against researchers who make a good-faith effort to comply with this policy, report issues responsibly via our support centre, and avoid the conduct described above.

5. Recognition

We do not currently operate a paid bug bounty program. Where appropriate and with your permission, we are happy to credit researchers who report valid vulnerabilities in good faith.

6. Changes to This Policy

We may update this Security Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page.

7. Contact

To report a vulnerability or for questions about this policy, please contact us via our support centre.