Vulnerability Disclosure Policy

Version 1.0 · Effective 2026-05-23 · Next review 2026-11-23

CloakAPI welcomes coordinated vulnerability reports from security researchers and the wider community. This policy describes what we consider in scope, how to report safely, what to expect from us in response, and the safe-harbour commitments we make to good-faith researchers.

Quick reference
Report to: security@cloakapi.io (PGP key: /pgp-key.asc, fingerprint 2C60 8570 23B3 115A 5B54 E6ED F30A 0D69 1DB0 45B3)
Authoritative security.txt: security.cloakapi.io/.well-known/security.txt

1. Scope

In scope

Out of scope

2. Safe-harbour

Good-faith security research that respects user privacy and avoids data destruction, service degradation, or social-engineering of staff will not be subject to legal action by CloakAPI. Specifically, we will not pursue civil action or report you to law enforcement for activities that:

Safe-harbour does not apply to actions that violate applicable law (e.g. GDPR Article 32 unauthorised processing, CFAA-equivalent unauthorised access beyond scope), extortion attempts, or public disclosure prior to the agreed window.

3. How to report

  1. Email security@cloakapi.io. Encrypt with our PGP key for sensitive reports.
  2. Include: a clear summary, affected endpoint or component, reproduction steps, proof-of-concept (curl, screenshot, or short video), and impact assessment.
  3. Do not open a public GitHub issue, post on social media, or notify customers directly during the embargo.
  4. If you have not received an acknowledgement within 48 hours, please re-send (mail relay failures do happen) or contact the Data Protection Officer at dpo@cloakapi.io.

4. What to expect from us

SLATarget
Acknowledgement of receiptWithin 24 hours (business days; 48 hours weekends)
Initial triage and severity classificationWithin 72 hours
Status updatesEvery 7 days minimum until resolution
Critical fixes deployedWithin 7 days where technically feasible
High fixes deployedWithin 30 days
Coordinated public disclosureWithin 90 days, or earlier by mutual agreement

5. Coordinated disclosure timeline

We follow a 90-day coordinated disclosure window from acknowledgement. If a fix is not deployable within 90 days we will communicate the delay and a revised timeline before the window closes. We will not unilaterally extend beyond 120 days without your agreement.

For actively exploited vulnerabilities affecting the EU market we will additionally report to ENISA within 24 hours of confirmation, as required by the EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847, Article 14) from its 2027-12-11 application date; we are voluntarily aligning the workflow today. See /legal/eu-regulatory-applicability.

6. Severity classification

SeverityExamples
CriticalUnauthenticated RCE, mass data exfiltration, receipt-chain forgery, signing-key extraction.
HighAuthentication bypass, IDOR exposing cross-tenant data, billing manipulation, full account takeover.
MediumPrivilege escalation within a tenant, rate-limit bypass, CSRF on sensitive actions, stored XSS in authenticated UI.
LowInformation disclosure without direct exploitability, minor logic errors, version headers, stack traces.

7. Recognition (Hall of Fame)

We credit reporters in the CloakAPI Hall of Fame unless they prefer to remain anonymous. We operate a modest good-faith bounty program; amounts vary by severity and impact. Contact security@cloakapi.io to discuss scope and payout before submitting.

8. Legal references

9. Contact