Obexum collects credentials and forensic evidence by design. The controls below describe how we protect your data, our binary supply chain, and how we respond when someone reports a flaw.
Solo, Team and on-prem Enterprise tiers process every scan locally. No engagement data leaves your network unless you opt into the SaaS portal. Even then, we encrypt at rest with per-tenant keys and never co-mingle tenant data.
Every release is built reproducibly in CI, signed with our
release key, and published to get.obexum.com
with SHA-256 + Ed25519 signatures. Verify before install
with the published checksum file.
Obexum never persists target credentials in cleartext. SSH keys live where you put them; WinRM creds resolve from the OS keychain. The engagement directory excludes auth state unless you explicitly archive it.
The release ships with a SPDX SBOM. We track every direct
and transitive dependency through our own
obexum sbom command (yes, we audit ourselves).
Critical CVEs get patched in < 72h.
We are pursuing SOC 2 Type II in 2026. ISO 27001 follows. Until then we publish our internal security baseline on request — the same audit Obexum runs against the lab DC, signed by our team, on our own infrastructure.
Found a flaw? Email security@obexum.com. We
acknowledge within 24h, fix within the SLA bands below, and
credit reporters by name (or anonymously) in the release
notes.
| Severity | Acknowledge | Fix & release | Public advisory |
|---|---|---|---|
| Critical | 4h | 72h | Coordinated, ≤ 14 days |
| High | 24h | 14 days | ≤ 30 days |
| Medium | 2 business days | Next minor release | ≤ 60 days |
| Low / Info | 5 business days | Best-effort | Optional |
For sensitive disclosures use:
# Obexum Security <security@obexum.com>
# Fingerprint: 8AB4 F8E5 1C2D 3F47 AE39 9C7B 6A21 4D58 2B1F 7E04
# Available at: https://obexum.com/.well-known/pgp.asc
curl -O https://obexum.com/.well-known/pgp.asc
gpg --import pgp.asc