Security & responsible disclosure

Please email [email protected] with the subject line “Tidewatch security disclosure” and a clear reproduction. We commit to an acknowledgement within 72 hours and a remediation plan within 14 days for high-severity findings.

Out of scope: anything affecting third-party data sources we don’t operate (AISStream.io, Copernicus Data Space, GDELT, etc.). Report those to the upstream operator.

• Data sources: open or commercially licensable, publicly citable. No classified inputs. No data routed via sanctioned countries.
• Export control: no ITAR components in the stack. The full source is MIT-licenced and reviewable.
• Operational security: hardened single-VPS deployment, TLS via Cloudflare, secrets in environment files (never committed). Database is not exposed to the public internet.
• Privacy: AIS broadcasts are public maritime telemetry. OSINT items are public press articles. Tidewatch holds no user PII beyond operator email contact, and no end-customer accounts.

Every alert traces back to a structured evidence record (alert ID, vessel MMSI, infra ID, OSINT item ID). The LLM analyst is bound by tool-call grounding: it can only cite IDs that came from a tool result. Incident reports include the build commit SHA so a reviewer can check exactly which detector code produced any claim.

Curated incident reconstructions (Yi Peng 3, Eagle S, Nord Stream) carry an explicit data-provenance note in their JSON files: hand-curated from public OSINT, not raw AIS, not for forensic use. The replay’s purpose is to validate the detectors, not to re-establish facts already established by competent authorities.