Security Practices Statement

Last updated: January 2026

This document describes the security practices applied by Jain & Panchenko Software Solutions GbR in the development and maintenance of its proprietary products and open-source software projects.

Company Overview

Oraios Software is an independent software company operated by two senior software developers with decades of professional experience in commercial and open-source software development.

Oraios Software develops developer tooling with a strong focus on code quality, reliability, and security. Security considerations are integrated into design, implementation, review, and release processes.

Scope

This statement applies to:

  • Proprietary software products developed and distributed by Oraios Software
  • Open-source software projects maintained by Oraios Software

Products

The following proprietary products are currently developed and maintained by Oraios Software:

Additional proprietary products may be added over time and will follow the same security principles described in this document.

Open Source Software Projects

The following open-source software projects are currently maintained by Oraios Software:

Additional open-source projects may be added over time and will follow the same security principles described in this document.

Security Governance and Responsibility

  • Security responsibility lies directly with the developers of Oraios Software.
  • All code is authored, reviewed, and released by the maintainers.
  • There is no outsourced or third-party development for closed source products. For open-source projects, there is no third-party development without explicit review and approval.
  • Security decisions are made with direct knowledge of the full codebase and architecture.

Secure Development Practices

Code Ownership and Review

  • Proprietary products are developed as closed-source software and maintained exclusively by Oraios Software.
  • Open-source projects are maintained exclusively by Oraios Software.
  • External contributions to open-source projects are reviewed line-by-line prior to acceptance.

Dependency Management

  • Dependency usage is intentionally minimized.
  • Dependencies are limited to widely used, well-maintained libraries and platform APIs where necessary.
  • Dependencies are periodically reviewed for relevance, maintenance status, and known security issues.

Platform and Distribution Security

  • Proprietary plugins are distributed exclusively through official and trusted platforms.
  • The Serena IntelliJ Platform Plugin is distributed via the JetBrains Marketplace.
  • Each plugin release is subject to JetBrains' automated and manual verification processes.
  • Platform-provided security mechanisms (such as sandboxing and permission models) are relied upon and respected.

Vulnerability Management

Identification

  • Security advisories for dependencies and platforms are monitored.
  • Issues reported by users or the community are reviewed promptly.
  • As maintainers with full code ownership, all relevant code paths are directly accessible for inspection.

Remediation

  • Identified vulnerabilities are analyzed and prioritized based on risk.
  • Security-related fixes are implemented and released as soon as practical.
  • Updated releases are published through official distribution channels.

Reporting

Security issues can be reported via:

  • GitHub issues (for non-sensitive disclosures related to open-source projects), or
  • Direct contact for responsible disclosure of sensitive issues

Malware Protection and Development Environment Security

  • Development systems are protected with up-to-date antivirus software.
  • Developer laptops use full-disk encryption.
  • Access to source code repositories is authenticated.
  • Releases are built and distributed using trusted development environments and official channels only.

Data Protection and Privacy

  • Oraios Software products do not collect personal data by default.
  • No user data is transmitted to Oraios Software servers unless explicitly documented.
  • Products operate locally within their host environments unless otherwise stated.

Open Source Security Practices

For open-source software projects maintained by Oraios Software:

  • Only maintainers have merge permissions.
  • All external contributions are reviewed prior to acceptance.
  • Dependency usage is conservative and transparent.
  • Security-relevant changes are documented in project history and release notes where applicable.

Certifications and Compliance

Oraios Software does not currently hold formal security certifications (such as ISO/IEC 27001).

Given the size and scope of the organization and its products, security is addressed through direct technical controls, disciplined development practices, and full code ownership rather than formal certification frameworks.

Continuous Improvement

Security practices are reviewed regularly and updated as necessary to reflect:

  • Changes in platforms and dependencies
  • New threat models relevant to developer tooling
  • Product and organizational evolution

This document will be updated accordingly.

Contact

For security-related questions or responsible disclosure, please contact us.