Security

Hauberk is built for teams that need AI coding agents to operate inside enforceable local boundaries. The product is designed to run locally, keep customer source code and managed credentials out of Hauberk-controlled infrastructure, and provide auditable controls around agent tool use.

Report a vulnerability

If you believe you have found a vulnerability in Hauberk, the Hauberk website, or beta evaluation material, email security@hauberk.ai. If that address is unavailable, email founders@hauberk.ai.

Please include a short summary, affected component, impact, reproduction steps, environment details, and the best way to coordinate follow-up.

Coordinated disclosure

We ask researchers to give us a reasonable opportunity to investigate and remediate before public disclosure. We will not pursue legal action against good-faith security research that avoids privacy violations, service disruption, data destruction, extortion, social engineering, or attempts to access data that does not belong to the researcher.

Product security posture

• Local-first runtime: Hauberk is intended to enforce controls on the developer machine, between the model-facing agent workflow and local system resources.
• Sandboxed execution: tool execution is constrained to configured roots, permitted commands, and operating-system confinement where available.
• Network controls: agent egress is intended to be allow-listed, audited, and denied by default where policy requires it.
• Credential protection: managed credentials should be brokered, redacted, or withheld from model context unless explicitly authorized by policy.
• Fail-closed behavior: where Hauberk cannot enforce the requested boundary, it should deny the risky operation rather than silently degrade.

Marketing site security

The Hauberk marketing site uses standard web infrastructure for hosting, anti-abuse, and request handling. The public website is separate from the local Hauberk runtime and should not be interpreted as a cloud dependency for the product.

Evaluation artifacts

Security teams evaluating Hauberk can request the threat model, runtime architecture overview, sample policy, sample audit event payload, dependency and licensing summary, platform-specific sandboxing notes, and beta deployment limitations.