We sell security. We had better be careful with yours.

Probe requires a credential to reach your MCP server. We recommend a dedicated, scoped bearer token that is not used by any other caller and that you can revoke without collateral damage. Probe will refuse to run against a credential that appears to be a shared production secret.

Credentials are encrypted at rest with per-tenant AES-256 keys, managed in AWS KMS under our security account. Decryption is only possible from the scan execution environment, which is an ephemeral, tenant-scoped worker that exits at the end of each scan.

Credentials are never logged, never surfaced in the UI, and never included in exports. You can rotate or revoke a credential from the app at any time. A revoked credential is deleted from KMS within five minutes.

A Probe scan produces three classes of artifact: scan metadata (target, timestamp, check IDs, pass/fail), finding bodies (response excerpts needed to prove the finding), and operational logs (request traces we use for support).

All data is stored in AWS us-east-1 by default. EU-residency is available on Team and Enterprise plans, with data pinned to eu-west-1 and not replicated out. You can purge your entire tenant at any time; the purge is irreversible and completes within 24 hours.

Every Probe scan begins with a signed authorization scope. We support three ownership-verification methods:

• DNS TXTA TXT record at _gated.[domain] containing a short-lived challenge. Valid for 72 hours.
• HTTP tokenA file served at https://[target]/.well-known/gated-challenge. Useful for environments where DNS isn’t directly controllable.
• Signed manifestFor MCP servers that already expose an identity key. We verify a detached signature over the scan request. Required for Enterprise self-hosted runners.

The Authorization Policy is our operational contract with both customers and targets. It binds our operators as well as our automated systems — a scan without a valid scope must be halted and the target notified.

We treat two classes of events as incidents: (1) unauthorized access to customer data on our side, and (2) a Probe scan that causes impact to a target beyond the agreed scope.

On detection, we open an incident channel, page the on-call engineer within 10 minutes, and begin a timeline document. For confirmed incidents, we notify affected customers within 24 hours with what we know; a full post-mortem follows within 10 business days, published to the affected customer and — for customer-data incidents — to our public writing log once disclosure is complete.

Contact: security@gated.sh · PGP fingerprint 4C6F 7665 2074 6865 206C 6974 746C 65 20 7468 696E 6773

Mail security@gated.sh with a description, a reproduction, and your preferred credit line. We’ll acknowledge within 48 hours and give you an initial assessment within five business days.

Safe harbor: good-faith research that respects the scope below is explicitly authorized and will not be met with legal action. We run a modest bounty; amounts scale with severity and are paid in USD or equivalent. Ask us for the current schedule.

• In scope*.gated.sh and the Probe scanner runtime.
• Out of scopeThird-party services we use (Stripe, Vercel, Postmark), social-engineering, physical attacks, or any scan against a target you don’t own.