# CloakAPI Security Disclosure # RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116 # # A signed copy of this file is available at: # https://security.cloakapi.io/.well-known/security.txt.sig # Verify with the PGP key at: # https://security.cloakapi.io/pgp-key.asc Contact: mailto:security@cloakapi.io Expires: 2026-08-03T00:00:00.000Z Encryption: https://security.cloakapi.io/pgp-key.asc Preferred-Languages: en, no Canonical: https://security.cloakapi.io/.well-known/security.txt Policy: https://security.cloakapi.io/policy/ Acknowledgments: https://security.cloakapi.io/hall-of-fame/ # PGP fingerprint: # 2C60 8570 23B3 115A 5B54 E6ED F30A 0D69 1DB0 45B3 # # Response-time SLA: # - Acknowledgement of receipt: within 24 hours # - Initial triage and severity classification: within 72 hours # - Status updates: at minimum every 7 days until resolution # # Safe-harbor: # Good-faith security research that respects user privacy and avoids # data destruction, service degradation, or social-engineering of staff # will not be subject to legal action by CloakAPI. See /policy for the # full coordinated-disclosure policy and scope.