Coordinated disclosure policy

Version 1.0 · Effective 2026-04-29 · Cite this page as https://security.cloakapi.io/policy?v=1.0

1. Scope of this policy

This policy applies to every security researcher reporting a finding against any CloakAPI surface listed under "In scope" on the front page. By reporting a finding to security@cloakapi.io you accept the terms here.

2. What we promise

1. Acknowledgement within one business day. If a report arrives Monday-Friday before 16:00 CET, we acknowledge by end of next business day. Outside that window, by end of the second business day.
2. No legal action against good-faith research. We will not file civil or criminal claims against a researcher operating under §3 of this policy.
3. Coordinated disclosure window. 14 days for high severity, 90 days otherwise. We extend on request when the fix requires upstream coordination, and we say so publicly if we ever miss a deadline.
4. Credit by default. Findings appear on /hall-of-fame unless the reporter asks for anonymity.
5. Bounty for first-of-kind, severity-scaled. See §5.

3. What we expect from you

1. Test only on accounts you own, or with explicit permission from the account owner.
2. Stop immediately on encountering live customer PII; do not exfiltrate or retain copies. Report the finding describing how you encountered the data, not the data itself.
3. Avoid actions that degrade service for other users (DoS, sustained heavy traffic, mass account creation, brute-force credential testing without rate-limit awareness).
4. Do not modify, destroy, or persist data beyond what is strictly required to demonstrate the finding.
5. Report through the channels in §4 before public disclosure.
6. Do not condition the report on payment ("pay or I tell"). That ends safe-harbour for the report.

4. Reporting channels

4.1 Email (preferred)

security@cloakapi.io. PGP-encrypt with the key at /pgp-key.asc for high-severity findings.

4.2 RFC 9116 security.txt

Authoritative metadata at /.well-known/security.txt (mirrored at the gateway).

4.3 In an existing customer engagement

If you are already routed through a CloakAPI partner or have a paid Enterprise contract, the named CloakAPI engineer in your engagement is also a valid channel.

5. Bounty

We do not publish a fixed grid because the payout reflects what was avoided, not which checkbox the report ticked. Expect:

• Critical (CVSS 9.0+) — high four to low five figures USD for first-of-kind. Examples: signed-receipt forgery, gateway RCE, plaintext PII exfiltration, customer-key exfiltration.
• High (CVSS 7.0–8.9) — mid three to low four figures. Examples: privilege escalation across orgs, partner-program self-affiliation bypass, OAuth/OIDC token theft.
• Medium (CVSS 4.0–6.9) — recognition + acknowledgement letter, sometimes a token bounty. Examples: stored XSS in admin views, CSRF on non-state-changing endpoints, information disclosure.
• Low / informational — recognition only. We still credit you publicly.

Payment routes through Stripe Connect, NOK avregning if you're a Norwegian SE/AS, or a verifiable charity donation in your name on request.

6. What is out of scope

• Findings against third-party providers we route to (Anthropic, OpenAI, Grok, Ollama). Report those to the provider directly.
• Reports against the WordPress placeholder on the apex cloakapi.io until that surface is rebuilt under the new design pipeline.
• Findings that require physical access to a customer device, social engineering of CloakAPI staff, or breaching another CloakAPI customer.
• Self-XSS, missing CSRF on logout-only endpoints, missing security headers on static documentation hosts, version banners on infrastructure components.
• Theoretical attacks without a proof-of-concept showing actual user-impact.

7. Public-disclosure timing

We coordinate public disclosure with the reporter. Default timeline:

1. Day 0 — report received.
2. Day 1 — acknowledgement.
3. Day 1–14 (high severity) or Day 1–90 — fix shipped, validated, and deployed.
4. Day +30 — public disclosure with technical write-up, hall-of-fame entry, and CVE if applicable.

If a finding is being actively exploited in the wild we may shorten any of these windows; we will say so explicitly to the reporter.

8. Updates to this policy

This is version 1.0. Any future change is published on this page with a version bump and an entry in the redline diff at /policy/diff. Cite a specific version with the ?v=N.M URL parameter — the build pipeline keeps historical versions at versioned paths.