Security teams should ask hard questions before adopting new tooling. Here are our honest answers โ what we do, what we don't, and where the boundaries are.
Stoney is a binary that runs inside your own CI runners. It makes HTTP requests against your staging environment and checks the responses. No source code, no secrets, and no HTTP payloads are ever transmitted to Stoney's servers.
When you generate an API token, we display it exactly once. What we store is the SHA-256 hash โ never the token itself. There is no recovery path; if you lose it, you revoke it and generate a new one.
The Jira integration requests only read:jira-work and write:jira-work. Slack requests only the ability to post to a chosen channel. We never request admin, deletion, or workspace management permissions.
Every action is gated by role. Owners manage billing and org settings. Admins invite members and manage tokens. Members can view runs. There are no escalation paths between roles.
Every security-relevant action โ token creation, revocation, member changes, plan changes โ is written to an append-only audit log. You can see who did what and when. (Audit log available on Pro plan.)
We use Vercel Analytics for anonymized, aggregate performance metrics only. No Google Analytics, no Facebook Pixel, no ad networks. Your usage data is not sold or shared with any third party.
Found a vulnerability? Please email us before public disclosure so we can address it responsibly.
We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days.
security@stoneydev.com