Trust
Security overview
Last updated: April 4, 2026 · Operator: Ribix, operated by MindCore
Ribix is a GitHub-first engineering intelligence product. Our security posture is designed around the actual assets the product touches: GitHub App credentials, repository metadata, issue content, enrichment records, billing state, and optional incident-analysis context from connected systems.
1. Scope and security model
Ribix is built to post decision-first issue enrichments in GitHub, then extend the same evidence into the dashboard, CLI, PR intelligence, and Linkroot incident workflows. We treat repository context, issue content, stack traces, installation metadata, and customer billing state as sensitive operational data.
2. Baseline controls
- GitHub App permissions are scoped to the repository and issue access required for product behavior.
- GitHub webhook requests are validated before processing.
- Data is protected with TLS in transit and provider-managed encryption at rest where supported.
- Workspace data is isolated through application and database access controls.
- Billing and administrative actions are permission-gated in the product.
- Secrets are managed through environment configuration, not committed source files.
- GitHub installation tokens are short-lived and generated for operational use as needed.
- Operational logging is used for debugging, abuse handling, and security response.
3. AI and repository handling
Ribix is not positioned as a general-purpose code browser. The backend may maintain a scoped repository clone cache so it can compute blame, candidate files, CODEOWNERS context, recent change signals, and limited snippets relevant to an issue, PR brief, or incident analysis. AI calls are used to help draft enrichments and other decision-support outputs; those outputs are probabilistic and require human review.
Public details on data categories, retention, and current service providers live in our Privacy Policy.
4. Incident response and reporting
If you believe you have found a security issue in Ribix, email mindcore.official.dev@gmail.com. Include the affected workspace or repository, reproduction details, and any relevant timestamps. We aim to acknowledge security reports within three business days and will follow applicable law and contract requirements for customer notification if we confirm a material security incident.
5. Current program status
- Ribix does not currently claim a public SOC 2 or ISO 27001 certification.
- No public uptime or support SLA applies unless separately agreed in writing.
- Some org-facing capabilities remain staged rollout rather than fully self-serve.
6. Enterprise requests
If your team needs a DPA, custom retention review, security questionnaire, or implementation-specific discussion before rollout, contact mindcore.official.dev@gmail.com. We will provide the current trust material that matches the live product rather than a roadmap-era security packet.