Security

Security at EnforceGrid

We build governance infrastructure. Security is not a feature we can treat as optional — it is the job.

Responsible disclosure

If you've found a vulnerability in Steer or any EnforceGrid-operated infrastructure, please disclose it privately before publishing. We commit to:

Acknowledging your report within 2 business days
Providing a remediation timeline within 7 business days
Crediting you publicly (if you want) once the issue is resolved
Not pursuing legal action for good-faith security research

Report vulnerabilities to: security@enforcegrid.com
PGP key available on request. For critical severity issues, please encrypt your report.

Scope

What is in and out of scope for security research:

Target	Status	Notes
`github.com/EnforceGrid/steer`	IN SCOPE	Core enforcement engine — all findings welcome
Steer proxy request/response handling	IN SCOPE	Policy bypass, audit record tampering, payload leakage
Cedar policy evaluation engine	IN SCOPE	Policy logic errors, evaluation bypass
`enforcegrid.com` website	IN SCOPE	Standard web vulnerabilities
Managed cloud infrastructure	IN SCOPE	Contact us first — coordinated testing only
Third-party LLM providers	OUT OF SCOPE	Report directly to OpenAI, Anthropic, etc.
Social engineering of EnforceGrid staff	OUT OF SCOPE	Not a valid research vector

Our security posture

Steer is designed around a principle we call zero-knowledge enforcement: the proxy evaluates policy against request metadata and context, but never requires access to the content of AI agent payloads to function. No payload data is stored by default. No telemetry leaves your network boundary in the open-source build.

Architectural commitments in the Steer enforcement engine:

Audit records are cryptographically chained — gaps or alterations are detectable
Fail-open by default — a Steer outage does not take down your AI agents
No external policy service calls — evaluation is in-process with the proxy
Cedar policy evaluation is formally analyzable — you can verify policy coverage without running it

Apache 2.0 Core SOC 2 · Roadmap OWASP ASI01–10 Aligned

Dependency security

Steer's open-source engine maintains a pinned dependency manifest. Security advisories for direct dependencies are reviewed within 48 hours of publication. We track upstream vulnerabilities in Cedar, the proxy runtime, and audit storage components.

To report a vulnerability in a dependency rather than Steer itself, please still email us — we'll coordinate upstream disclosure and apply patches promptly.

Bug bounty

We do not currently operate a formal bug bounty program. We do recognize contributors who identify meaningful vulnerabilities — reach out after responsible disclosure to discuss recognition. A structured bounty program is on our roadmap as the team scales.