Security

Bellcow uses Clerk for authentication — your email and session are managed by Clerk's identity infrastructure, not stored as passwords on our side. Your league credentials (ESPN cookies, Yahoo OAuth tokens) are encrypted at rest in our Postgres database and only decrypted at the moment a recommendation needs them.

We run automated dependency vulnerability scanning on every push (pip-audit on the API, the standard Next.js audit chain on the web app) and do not knowingly ship a build with a fix-available CVE in a runtime dependency.

If you believe you've found a security issue, please report it directly to hello@bellcow.ai before disclosing publicly. We'll acknowledge within 72 hours and work with you on a fix.