Last updated: June 20, 2026
Security & Permissions
What the Pyre browser extension can access, what stays on your device, and what is sent to Pyre's servers. Written for AppSec teams evaluating a pilot.
At a glance
- The extension requests local storage, GitHub pages, and api.usepyre.com (sign-in and licensing only).
- Pyre runs on GitHub repository Security overview pages only.
- Vulnerability content is processed locally in your browser.
- Only sign-in and licensing data is sent to Pyre's servers (work email, pilot access code, session token).
- No third-party AI or model providers. No data used for training.
- Security questions or deletion requests: security@usepyre.com
Extension access
Chrome permissions
The pilot extension requests only:
- Storage: to save your preferences, per-finding choices, and aggregate pilot counts on your device.
Host access
- api.usepyre.com: sign-in and licence validation only.
- github.com: GitHub repository Security overview pages only.
What the extension does not request
Pyre does not request broad website access or permissions for Jira, Snyk, SonarCloud, Linear, Datadog, PagerDuty, Zendesk, or other tools.
Pages Pyre reads
- The GitHub repository Security overview page you have open (/{owner}/{repo}/security).
- Visible advisory rows: title, GHSA link, severity label, and published-advisory marker.
What Pyre does not access
- Source code, repository files, or diffs.
- GitHub cookies, session tokens, or credentials.
- Issue or pull request comments, attachments, or private messages.
- The GitHub API. Pyre reads only what GitHub has rendered on the page in your browser.
- Any page outside github.com/*/security/*.
Restricting access
For managed Chrome, you can allowlist the extension through your normal enterprise browser policy. Pyre will not run on hosts your organisation blocks.
Data flow
Stays in your browser
- Advisory titles, severities, GHSA identifiers, and other vulnerability page content, used locally to apply review labels and similar-title groups.
- Your preferences, per-finding overrides, and aggregate pilot counts, stored on your device. Exported pilot summaries contain counts only, never finding titles or content.
Sent to Pyre's servers
Only sign-in and licensing data:
- On sign-in: your work email and pilot access code.
- On each page load: a session token to validate your licence.
- On sign-out: your session token to end the session.
Server storage and hosting
- Hosted on Render (United States by default).
- Server-side records: organisation name, email domain, licence status, pilot invitations, and active sessions.
- Access codes and session tokens are stored as one-way hashes, not in plain text.
- Sessions expire after 30 days unless renewed.
- No third-party AI or model providers. No training on customer data.
Deletion and uninstall
- Local data: uninstalling the extension removes preferences, overrides, and pilot counts from your browser. You can also reset pilot counts from the extension settings.
- Server data: pilot access can be revoked per user. To delete organisation or session records, email security@usepyre.com.