Security & Trust

Built to earn buyer trust.

Epochly runs in-process with your application. We hold a clear line on what we collect, how we disclose issues, and how our releases are built.

Report a vulnerability

Report suspected vulnerabilities privately. Please don't open public issues for unreleased vulnerabilities. We acknowledge new private reports within five business days.

[email protected]

Please include

  • Affected Epochly version and installation method (wheel, sdist, editable).
  • A minimal reproduction or proof of concept.
  • Operating system, Python version, and relevant environment variables.
  • Impact assessment: confidentiality, integrity, availability, sandboxing, telemetry, or update paths.

Coordinated disclosure

Epochly follows coordinated, responsible disclosure with a default 90-day embargo from the acknowledged report date to the public advisory. Timing may be shortened for actively exploited issues, or lengthened by mutual agreement.

  1. 1

    Acknowledge the private report and assign a tracking handle.

  2. 2

    Reproduce, confirm impact, and identify affected version lines.

  3. 3

    Prepare and validate a fix on a private branch when needed.

  4. 4

    Publish a patched release and advisory once an actionable update exists.

  5. 5

    Credit the reporter in the advisory, unless they request anonymity.

Data handling

Epochly emits scrubbed, opt-out telemetry by default, and opt-in heartbeat telemetry for Lens users. We never collect the following — even with every opt-in flag enabled:

Your code & data

Function inputs or outputs, datasets, dataframes, tensors, source trees, or arbitrary local files.

Secrets

API keys, tokens, and environment secrets — outside the explicit, opt-in Lens heartbeat flow.

Identifying network data

Plaintext usernames, home-directory paths, IP addresses, or MAC addresses. Payloads are scrubbed before transmission.

You stay in control

Telemetry is never a security boundary — disabling it never changes runtime correctness. Two environment variables put you in control, and the full field-by-field accounting lives in our Telemetry Data Flow doc.

# Disable telemetry, keep licensing reachable
export EPOCHLY_DISABLE_TELEMETRY=1
# Go fully offline (license + telemetry endpoints suppressed)
export EPOCHLY_OFFLINE_MODE=1

Threat model

The threat model assumes the host OS, Python interpreter, and your source code are trusted. The adversaries we explicitly defend against:

Curious user

Prevents inadvertent disclosure of raw hardware-fingerprint attributes, function inputs/outputs, source trees, datasets, or secrets in outbound traffic.

Network adversary

TLS-only transport, no plaintext PII, and no replayable secrets in URL query strings for a passive or on-path observer.

Supply-chain attacker

Signed, reproducible release artifacts and an auditable release pipeline defend against a malicious wheel published under the epochly name.

Licensing-bypass attacker

Server-side validation of proof tokens means client-side tampering with fingerprints or proofs fails closed at the backend.

Read the full threat model, including network surface, the license/telemetry trust boundary, and supply-chain posture.

Supply chain

  • Wheels are built in CI from a clean checkout on every release — manual tag pushes are blocked by policy.
  • A machine-readable SBOM is attached to each GitHub release; you can also generate one locally.
  • Wheels publish to PyPI via a trusted-publisher OIDC flow, not long-lived API tokens.
  • Need artifact pinning today? Pin to a hash with pip install epochly==<version> --hash=sha256:...

Supported versions

Security patches target the active 0.6.x line and the Python versions declared in the package metadata.

Python 3.9 through 3.14 · Linux · macOS · Windows

Read the full security docs

The Security Policy, Threat Model, and Telemetry Data Flow docs cover our posture in depth.

Security PolicyContact security