Vulnerability Disclosure Policy
CloakAPI welcomes coordinated vulnerability reports from security researchers and the wider community. This policy describes what we consider in scope, how to report safely, what to expect from us in response, and the safe-harbour commitments we make to good-faith researchers.
Report to:
security@cloakapi.io (PGP key:
/pgp-key.asc,
fingerprint 2C60 8570 23B3 115A 5B54 E6ED F30A 0D69 1DB0 45B3)Authoritative
security.txt:
security.cloakapi.io/.well-known/security.txt
1. Scope
In scope
- Gateway API (
api.cloakapi.io,/v1/*): authentication bypass, token replay, receipt forgery, rate-limit bypass, IDOR, privilege escalation, CSRF on authenticated endpoints, billing manipulation. - Browser portal (
app.cloakapi.io): XSS, CSRF, auth bypass, IDOR, payment-flow manipulation. - Documentation, demo, status, and security sites (
docs/demo/status/security.cloakapi.io): server-side or stored XSS, cache poisoning, sensitive-information exposure. - Receipt verifier (
signedreceipts.org, attestations subdomain): canonicalisation flaws enabling undetectable receipt forgery, key-discovery spoofing. - Open-source SDKs (Python, TypeScript, Go) and verifier CLI: insecure default configuration that silently disables tokenisation or receipt verification; supply-chain integrity issues.
- Infrastructure observable from outside: TLS misconfiguration, exposed admin endpoints, open object storage, leaked secrets.
Out of scope
- Social engineering of CloakAPI staff or customers.
- Physical access attacks against CloakAPI hardware or offices.
- Denial-of-service (volumetric DDoS, resource exhaustion) that does not lead to data exposure or service hijack.
- Scanner-generated reports without a demonstrated exploit (no automated tool dumps).
- Vulnerabilities in third-party dependencies already publicly disclosed and tracked on our active patch timeline (see SBOM at /legal/sbom.json).
- Self-XSS that requires the victim to paste code into their own browser.
- Clickjacking on pages with no sensitive action.
- Missing HSTS on non-sensitive subdomains.
- Theoretical vulnerabilities without a working proof of concept.
2. Safe-harbour
Good-faith security research that respects user privacy and avoids data destruction, service degradation, or social-engineering of staff will not be subject to legal action by CloakAPI. Specifically, we will not pursue civil action or report you to law enforcement for activities that:
- Are limited to the scope listed above.
- Stop at the point of discovering or confirming the issue (e.g. do not exfiltrate data beyond proving the flaw, do not pivot to other systems).
- Avoid accessing, modifying, or deleting other users' data.
- Respect rate limits and avoid actions that would degrade service for other users.
- Report the issue privately to
security@cloakapi.ioand give us a reasonable disclosure window (see §5).
Safe-harbour does not apply to actions that violate applicable law (e.g. GDPR Article 32 unauthorised processing, CFAA-equivalent unauthorised access beyond scope), extortion attempts, or public disclosure prior to the agreed window.
3. How to report
- Email
security@cloakapi.io. Encrypt with our PGP key for sensitive reports. - Include: a clear summary, affected endpoint or component, reproduction steps, proof-of-concept (curl, screenshot, or short video), and impact assessment.
- Do not open a public GitHub issue, post on social media, or notify customers directly during the embargo.
- If you have not received an acknowledgement within 48 hours, please re-send (mail relay failures do happen) or contact the Data Protection Officer at
dpo@cloakapi.io.
4. What to expect from us
| SLA | Target |
|---|---|
| Acknowledgement of receipt | Within 24 hours (business days; 48 hours weekends) |
| Initial triage and severity classification | Within 72 hours |
| Status updates | Every 7 days minimum until resolution |
| Critical fixes deployed | Within 7 days where technically feasible |
| High fixes deployed | Within 30 days |
| Coordinated public disclosure | Within 90 days, or earlier by mutual agreement |
5. Coordinated disclosure timeline
We follow a 90-day coordinated disclosure window from acknowledgement. If a fix is not deployable within 90 days we will communicate the delay and a revised timeline before the window closes. We will not unilaterally extend beyond 120 days without your agreement.
For actively exploited vulnerabilities affecting the EU market we will additionally report to ENISA within 24 hours of confirmation, as required by the EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847, Article 14) from its 2027-12-11 application date; we are voluntarily aligning the workflow today. See /legal/eu-regulatory-applicability.
6. Severity classification
| Severity | Examples |
|---|---|
| Critical | Unauthenticated RCE, mass data exfiltration, receipt-chain forgery, signing-key extraction. |
| High | Authentication bypass, IDOR exposing cross-tenant data, billing manipulation, full account takeover. |
| Medium | Privilege escalation within a tenant, rate-limit bypass, CSRF on sensitive actions, stored XSS in authenticated UI. |
| Low | Information disclosure without direct exploitability, minor logic errors, version headers, stack traces. |
7. Recognition (Hall of Fame)
We credit reporters in the
CloakAPI Hall of Fame unless they
prefer to remain anonymous. We operate a modest good-faith bounty program; amounts vary by
severity and impact. Contact security@cloakapi.io to discuss scope and payout
before submitting.
8. Legal references
- RFC 9116 — A File Format to Aid in Security Vulnerability Disclosure (security.txt).
- ISO/IEC 29147:2018 — Vulnerability disclosure.
- EU Cyber Resilience Act, Regulation (EU) 2024/2847, Article 13–14 (coordinated vulnerability disclosure).
- NIS2 Directive (EU) 2022/2555, Article 23 (incident reporting workflow).
9. Contact
- Security reports:
security@cloakapi.io - Data Protection Officer:
dpo@cloakapi.io - PGP: security.cloakapi.io/pgp-key.asc (fingerprint
2C60 8570 23B3 115A 5B54 E6ED F30A 0D69 1DB0 45B3) - Postal: Klokk Nettablering, Norway (operator of CloakAPI)