Security

How Drengr is built, verified, and distributed. Last updated: March 15, 2026.

Build Pipeline

Every Drengr release is built by GitHub Actions from a tagged commit. The workflow builds four platform-specific binaries in parallel:

  • macOS Apple Silicon aarch64-apple-darwin
  • macOS Intelx86_64-apple-darwin
  • Linux x86_64 x86_64-unknown-linux-gnu
  • Linux ARM64 aarch64-unknown-linux-gnu

Each binary is compiled with Rust's stable toolchain using LTO (Link-Time Optimization) for both performance and size. The result is a single static binary with zero runtime dependencies.

Checksum Verification

Every release artifact includes a SHA-256 checksum file. The install script refuses to install an unverified binary — if the checksum file is missing or the hash does not match, the installation aborts.

To manually verify a download:

# Download the binary and checksum
curl -LO https://github.com/.../drengr-v0.1.0-aarch64-apple-darwin.tar.gz
curl -LO https://github.com/.../drengr-v0.1.0-aarch64-apple-darwin.tar.gz.sha256

# Verify
shasum -a 256 -c drengr-v0.1.0-aarch64-apple-darwin.tar.gz.sha256

GPG Signing

Release checksums are signed with GPG. You can verify the signature against the public key published below to confirm the release was created by the Drengr build pipeline and has not been tampered with.

Public Key

Fingerprint: EC69 8F09 C054 4A17 918F E350 327E 7883 4F2E 0FBC

Identity: Drengr <hey@drengr.dev>

Expires: March 13, 2028

Download: drengr.dev/gpg-key.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGm17sEBEADGR4aMef29CTjwyj5UxSlb4ebZIXV6weRzQyS0bl6s3UFIPraD
DK5lG0iPg3G4bq78dHNJ6v8NZ4WHZxte88u/hvVl8IaMZo6sFPgCgAyiHNzU/ufT
0Z9wEvlL0JaLBG8ZhVjEpQsmReR9KW1UqGMm8LVYtO+0+/DSQ3qW7qIDtrQ2AgVs
QoC75sxRVPifYOs5MJ5Gk6O4A9NpWo9XwHsG0UFGWcii+lf/Q1MnvmV5f1U/iOgW
CLEgujKOzFxBfvYMzWt/4Zg+jeuOzHVuf8Pe+WV8UKOxthqVyXk3L1jTjSOm8ct4
k24jUxa2TywwzsV37ouR+Yncz4giD0ud5pbr0/MeGSloxTILf7ty9CU+nuf3L0lF
sdmFVWAra6d6joTSNkOhkkHTz9Fdj6lzJ/c2fTXu/uguiTVUvYnQ+VI71ekd9hgI
gIPNrGvzFhgpQ6neGFuKgSKC1fURHaPOKEv8+viALLday//22WhX4hwXnhqY9DXN
Hz7ByAmOySwpyCa9Oh/u2R1A9DS0T1Xeq9dd+jwGnOsHo8hR3p7A9t6ooVv62Nnq
QExQYJaoQVQ1+nHrePkY+yRqwOVb/sElErF1AbZDlrJxhLYnScUVmXaSgIPhdi7o
lG5k3FA/M+phC67VdA/0aXnlBFlGBTwyMXbLlYr8BKbs4pFo7usAg94F1wARAQAB
tBxEcmVuZ3IgPHNlY3VyaXR5QGRyZW5nci5kZXY+iQJYBBMBCABCFiEE7GmPCcBU
SheRj+NQMn54g08uD7wFAmm17sEDGy8EBQkDwmcABQsJCAcCAiICBhUKCQgLAgQW
AgMBAh4HAheAAAoJEDJ+eINPLg+8QlMQAILuIGGWo+qp1zRS8/rTMFeMQFhLAsH1
b/wW82gQofSCyBbXQRRVKd8qE3/3G4qg8WvbiS39OyL3L1dyBoIfEjRVwwdC0925
R0gILbJdKqyuwwefiAlSHntcSMGYXZtC6q6zLwPdfgeBmdwQbTcNKP9nVQUl8gYe
pfMfuMHJm/K7WN4nULPff/XATh63HVDFHhuoHKdO4zgplMx7WhwRWFQIcLT3gSGO
B9GZ94G46aGeD4qpI7iybiz0lLY4Eo5HKHWpYfbG204D2qOQ/R4uftoeOBWyz0kM
Gc+2vW0wVxA8dNg23Ih1GcnrzlezaifuVXCeXl2U1ciKzp1ou4hdPQtB+8D1uoTU
5PclaWiChZTckvqJbLhsTDvEyMB1/XVbHEVUcEtMC5RVoAvvxwihVASInl8obyOK
xkZN5a9As5LzrXjWFaKLvmhyVD0leH+UVBbmhNFOZ5Bd6paYvHUFya7mgVxRYYIB
2+cFh2uep75hYC51Qxq5eITAsB42oE96xrlz9Z4IJmsp76fGfSekKEZy6nSCHf3p
w4wLwAoMefTPxEiY2hs+f0mzOzt1H+Ar/6hNNspsd9YmGdDtOTuFpMsLxkmcVuTA
HzR2W4dCpiPtCrpqpc/pWnK08DtWRdAGY2c7dahh+8NK+uYE1JQtdQXmgC7Zcnj8
jFtDQzD1Xhu+uQINBGm17sEBEADY7UvS0Hyrj0HuZM7wzS9xT0vwL+DObjxqu4J5
2hWOAb/hYD98oC5WyfK9MSWBp1QGB6rMuIVWOiG5kg8CAfcWWo6yMAVqJwiFdGge
eLxjfmKhkAGUlHBycz0UDrOJNk/pkfHPeu/EcW+VM8Gsh7ZSzJUFzxk1uWKwMS0Z
nhKvQFH6YnaBpvfYOCrYC5x+adkc1n8yH9lvpLAQMlvy6lFkMRIhvXeUjanaXg9C
CLJBaEo9hVEMsKLIisJ2Nef9h2E+X3EIaomYl0eGOtC5HS1ckYXFv4jhqVGTCtYK
RCj/p69WpKhzIZ1wrHPmvReOHGD1Rh9/JKkXz2EA6SkMFPwA0VP0kFmiByL1g+tJ
q2agZ9soDl+IhKQVALtSFWmossyQGFl9dMXzCDO3VpA1s7NWET1b6ZnRJQlBPcoW
7bxFhvUkzsw9KDkrYzkAKoXc41TMotMLQu67AqnoM+GISgrTgHz8UXqXvpLZDAAu
51XigItJTRuEDbDLVB6sxLXJ6tNByyQN0vQOFNQigRhIPFaqQL8irDMpnfXnLFvX
djcaEuM82ZDx9PGZGp1vA9REH1w0R4C78pAF9ngG18nICITgsSTQMlchCqR1XDi9
Q8uHyBOFRWj2nE99i9K9Gbelg/Fl3wg9mHTCWmvajOjJCXytQyk0T9WsM4aJTEF4
nhFtAQARAQABiQRyBBgBCAAmFiEE7GmPCcBUSheRj+NQMn54g08uD7wFAmm17sEC
Gy4FCQPCZwACQAkQMn54g08uD7zBdCAEGQEIAB0WIQRAlqtnfw6XcL1MwdOn7ShG
RxlGsgUCabXuwQAKCRCn7ShGRxlGsibUEACyAnoQDKTmTnvwuNwbD+8uM9WW9slw
Ihs/XMxVHWRhSTdCyxCy9SppZrC7HBfukZgNAipN2IeomQ5rMSS2EN5wVhJrOfEF
Pqpo+UQ2tcc2OgOe0ECEik/8Am6cXkTzw0/dmo3D5LDzjXRZtqTNaQumhvoMJQWg
qEzbuzwFD+mzOAKEL8D4zfHK1i8UonRRXMgR+7C2eB/GWCMNici59nlhDxVwX6OW
vVnhuscCRkvpUh/xi6l2E49ESM1brbwyE0VRnz3hj1P8J8j0Ut0fICBe1oepE2iP
cfqX8gw8+pRjIzBhY9R8rIk43xgWYGOqMLAnriahfzEmO3pwOiMDcA3Nkdz9+Bf3
lB8/uLB1dtVCIDNLXM9nQQI5Sp4uq8DriuImr/QKjKNvMJx6gYFFDtXGrZZr8/se
H/HOSPpyGJy0JXUAgISnLiK0mBaZMhWbVAyyCFKMo0XFMexWne3RfuG0wjhP5dhG
Lp678Hcocx6iiRkzLW06+uw5kthTrTpvG0leT8ZH1ynFceo5hsSrb4o5RbGpxQoG
/vbr6aINRlZCXgfvcnufFKxKvovM+iCSIyYvA0v9lOPOazV71D3kBjd8yTwJWUzN
ju8vmn7UyG8+lWN2fCDCrts2P+x4arRSAlDlC7T59t9M05QQGyHKw1gjil72iwRf
a8DmOywPyLvadYxSD/oCvnNyFZY1J63WTP5Hh99RmZDiBrL3elzLRFva4ruU2797
4RSfEVYpD3Fr2GRrlZ2GJfPVlldA1GsmaLTWO3f4GB9Q77k09mr9KvjEUOomFo2n
BoW/bFgJ9bkwbjiALq4NJ0TZSh2MtTV8AZOLWBl6As3kxkT6ahew1jMKxqTvRf6k
PIM8LFQIsETzpR96T2x8crUoDL8oK/zNn6YAR9yxneUyFgLARfjhAq9kDrfiZ8SL
K3lgYZooRfM+cs2HhmYiAAddVZ/B6bi96cUGJmKwgwPL4ks5i+79uhVTu2A+kBH0
FQTx8gqC9GGTUsWF+4hBWz1NGd0HXEC9q2xbH/y0rMv/UrqKY/I7v8B3+ZgUKEtB
fEJSFaxIriL62IQqtJukTCPpKC4ZfqHq3pf5mCiIlimxUXdjmAXMm75wWGZ0aZX5
KOvuQdaxU5FKabC5EWWP6QFMx1WsOSbPbJ3NER0JEjoV0YtI/LN/PIcR0nebvzIQ
VarBaIaQslbIVqDNwJMXuhF7ahRkU5KiUEtlsGZNKzpC0CCl5qg3L3naNFHLOwCj
5MLJX+fc+3zQL2is527RUXpgfgjI9Jinqmo6R3fo6nGqM92cEs+6sRJcPUdLD0dQ
GHgPQm0SefCFAu4wRxf6eHK5Xs4bFvdyuGM/mlskitko27Wbs4AOM99z1zhY+A==
=a3mp
-----END PGP PUBLIC KEY BLOCK-----

Verifying a Release

# Import the Drengr public key
curl -fsSL https://drengr.dev/gpg-key.asc | gpg --import

# Verify a checksum signature
gpg --verify drengr-v0.1.0-aarch64-apple-darwin.tar.gz.sha256.asc \
             drengr-v0.1.0-aarch64-apple-darwin.tar.gz.sha256

What drengr doctor Tells You

After installation, drengr doctor runs a diagnostic check and reports exactly what it found on your system:

  • Whether ADB is installed and which version
  • Whether simctl (Xcode) is available (macOS only)
  • Which devices are connected — device ID, model, OS version
  • Which AI provider API keys are set in your environment (it checks for their presence, never logs the key values)

It does not modify your system, install anything, or make network requests. It is a read-only diagnostic.

No Network Activity by Default

Drengr makes no outbound network requests unless you explicitly use features that require them:

  • OODA loop (drengr run) — sends screen data to your configured AI provider (OpenAI, Anthropic, Google, Groq)
  • Cloud devices (coming soon) — connects to Appium endpoints you configure (BrowserStack, Sauce Labs)
  • SDK server (coming soon) — listens on localhost:7879 for connections from your own app's SDK

MCP mode (drengr mcp), test suites (drengr test), and explore mode (drengr explore) operate entirely locally.

Security Disclosure Policy

I take the security of Drengr seriously. If you believe you have found a security vulnerability in the Software, the installation infrastructure (install script, npm package), or the drengr.dev website, I encourage you to report it responsibly. I will work with you to understand and address the issue promptly.

How to Report

Send your report by email to: hey@drengr.dev

Please include as much of the following as possible:

  • A description of the vulnerability and its potential impact
  • The component affected (e.g., the binary, the install script, the SDK server, the website)
  • Step-by-step instructions to reproduce the vulnerability
  • Proof-of-concept code or commands, if applicable
  • Your assessment of severity (e.g., using the CVSS scoring framework)

You may encrypt your report using my PGP key, available at drengr.dev/gpg-key.asc (optional but encouraged for sensitive disclosures).

Response Timeline

MilestoneTarget Timeline
Acknowledgment of receiptWithin 72 hours
Initial assessment and severity triageWithin 7 days
Remediation plan communicated to youWithin 14 days
Patch released (high/critical issues)Within 90 days
Public disclosure (coordinated with you)After patch is released

Safe Harbor

I will not pursue civil or criminal legal action against security researchers who:

  1. Make a good-faith effort to contact me and give me a reasonable opportunity to address the vulnerability before public disclosure
  2. Avoid accessing, modifying, or deleting data that does not belong to them (use your own test devices and accounts)
  3. Do not exploit a vulnerability beyond what is necessary to confirm its existence and demonstrate its impact
  4. Do not engage in social engineering, phishing, denial-of-service attacks, physical security attacks, or attacks on third-party systems in connection with their research
  5. Do not violate the privacy of users (do not capture or retain personal data encountered during research)
  6. Act in good faith and in accordance with this policy and applicable law

I consider security research conducted in accordance with this policy to constitute authorized activity under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and comparable laws. I will not refer complaints about good-faith security research to law enforcement and will support researchers if third parties bring such complaints.

This safe harbor applies to the Software and the drengr.dev website. It does not extend to third-party systems (AI Providers, Cloud Device Providers, or any Device you do not own or control).

Scope

In scope:

  • The Drengr binary (all versions)
  • The curl install script hosted at drengr.dev/install.sh
  • The npm package
  • The SDK Server (port 7879)
  • The drengr.dev website and subdomains

Out of scope:

  • Vulnerabilities in third-party AI Provider APIs or SDKs
  • Vulnerabilities in Cloud Device Provider infrastructure
  • Social engineering attacks against me personally
  • Denial-of-service vulnerabilities that require significant resources to exploit
  • Theoretical vulnerabilities without a practical demonstration
  • Issues in devices you do not own or have explicit authorization to test against

Public Disclosure

I believe in coordinated disclosure. I ask that you give me the timeline described above before publishing your findings. After a patch is available, I am happy to acknowledge your contribution in the release notes. If you prefer to remain anonymous, I will respect that preference.

If I am unable to resolve a confirmed vulnerability within 90 days, I will work with you on a mutually agreed public disclosure timeline regardless.

No Bug Bounty Program

I do not currently operate a paid bug bounty program. I offer acknowledgment, good-faith engagement, and my sincere gratitude. If that changes, I will update this page.

Acknowledgments

No vulnerabilities have been reported yet. If you find one and would like to be listed here, let me know when you report it.