Security & Trust
ContractSpec focuses on deterministic, auditable software delivery. This page summarizes our security posture and trust commitments so teams can adopt with clarity.
Security policy
We publish a dedicated security policy that explains how to report vulnerabilities and how we respond.
Read the security policyRelease hygiene
We ship with deterministic CI, changesets, and contract validation so teams can trust every release.
- Changesets required for published packages.
- CI gate for contract validation and drift detection.
- Rollback-friendly release process.
Data handling
ContractSpec promotes strict data classification and policy-driven access. Specs can tag sensitive fields for enforcement.
- Schema-level sensitivity tags.
- Policy Decision Point enforcement.
- Audit logs for operational traceability.
Supply chain
We track dependency updates and keep the monorepo build reproducible.
- Dependabot + Renovate-style updates where available.
- Signed release artifacts planned for Studio release cycles.
- Transparent changelogs for every package.
Responsible disclosure
We respond quickly to security reports and coordinate fixes before public disclosure.
- Security response within 5 business days.
- Private disclosure via security@contractspec.io.
- Credit for researchers (with permission).
Next steps
Explore the broader safety controls or read the roadmap to see upcoming trust investments.