Security disclosure surface · Active

Reporting a vulnerability in CloakAPI

If you have found a security issue in any CloakAPI surface — gateway, portal, chat, attestations, SDKs, browser extension, desktop client — this page is the canonical front door for getting it to us safely and getting credited for it.

Fast path

Email security@cloakapi.io

PGP key download .asc

RFC 9116 security.txt

Hall of fame acknowledgements

For high-severity findings (RCE on the gateway, key exfiltration, signed-receipt forgery), please encrypt with the PGP key above. For everything else plain email is fine — we route security@ into a dedicated triage queue, not the general support inbox.

Scope

In scope. All hosts under *.cloakapi.io and *.signedreceipts.org; the published SDKs (cloakapi on PyPI / npm / crates.io / Maven / Packagist / NuGet), the desktop client (apps/desktop), the browser extension (apps/browser-extension), and the SignedReceipt protocol implementations in packages/open-receipt-{ts,rs}.

Out of scope. Findings against third-party providers we route to (Anthropic, OpenAI, Grok, Ollama). Reports about the WordPress placeholder on cloakapi.io apex marketing — that surface is being rebuilt. Reports that require physical access to a customer device. Findings that depend on disabling our own client-side tokeniser.

Safe-harbour

We commit to not pursue legal action against researchers who:

Make a good-faith effort to avoid privacy violations, data destruction, and service degradation.
Test only on accounts they own or accounts where they have explicit permission from the owner.
Report findings via the channels above before public disclosure, and give us a reasonable window to fix.
Do not extort, threaten, or attempt to extract a payout disconnected from the merit of the finding.

Read the full text in our disclosure policy.

Disclosure window

We aim to acknowledge every report within 1 business day, ship a fix or a mitigation within 14 days for high severity and 90 days for everything else, and coordinate public disclosure with the reporter. If we miss the 90-day mark we will say so publicly and explain.

What you get back

For first-of-kind findings we offer:

Public credit on this page (with your handle and finding tag) unless you ask for anonymity.
A signed acknowledgement letter, including a SignedReceipt v1.1 envelope you can verify yourself, suitable for resumes / certifications.
For findings of CVSS 7.0+ severity, a bounty payout — amount scales with severity and impact. We don't run a fixed bounty grid because the payout depends on what was avoided; expect it to be commercially fair.
Where applicable, a CVE assigned via CloakAPI's CNA (when our CNA application clears) or via our partner CNA in the meantime.

Operational

PGP fingerprint for security@cloakapi.io: 2C60 8570 23B3 115A 5B54 E6ED F30A 0D69 1DB0 45B3 (ed25519 signing + cv25519 encryption subkey, both expire 2027-04-29). Download at /pgp-key.asc; signed security.txt sidecars at /security.txt.sig and /.well-known/security.txt.sig.

Receipt signing key. ed25519 keypair, public-key SHA-256 fingerprint 742bc17e…d47d7. Published at api.cloakapi.io/api/.well-known/cloakapi-receipt-pubkey.pem (PEM) and /oauth/jwks (JWKS, the same RSA key Passport signs OIDC tokens with). NIST CMVP cert #5146 covers the underlying primitives.

SOC 2 Type 1 in flight; Type 2 starts after 12 months of operating evidence. GDPR Article 25 by-design documentation: cloakapi.io/legal/privacy.

If you can't email

Use errors.cloakapi.io if you have a GlitchTip account or a partner reaches us through a customer's project. As a last-resort relay, the gateway publishes security.txt with the same contact data — same humans triage both.