CloakShell
Get Started Free
Get Started Free

Vulnerability Disclosure Policy

Last updated: April 17, 2026

CloakShell welcomes reports from security researchers who help us protect our community. This policy describes what we ask for, what you can expect in return, and how we work together when a vulnerability is found. We do not collect, sell, or mine user data, and we take reports that touch user privacy especially seriously.

In scope

  • cloakshell.com and api.cloakshell.com
  • The public-facing CloakShell backend

Out of scope

  • Third-party services we depend on, including Supabase, Cloudflare, Resend, and Stripe
  • Social engineering of CloakShell employees, contractors, or vendors
  • Physical attacks against CloakShell staff, offices, or infrastructure
  • Denial-of-service attacks, including volumetric, application-layer, and resource exhaustion
  • Automated scanner output without manual verification or a working proof of concept
  • Self-XSS that requires the victim to paste attacker-controlled input into their own browser
  • Reports from automated tools without proof of impact

Safe harbor

Researchers acting in good faith under this policy will not face legal action from CloakShell. Do not access data belonging to other users beyond what is necessary to demonstrate the issue. Stop testing and report as soon as a vulnerability is identified. Make a good-faith effort to avoid privacy violations, service disruption, and destruction of data while you work. If you are unsure whether a specific action is covered, email us first.

How to report

Email security@cloakshell.com with the subject prefix [Security Disclosure]. A good report includes:

  • Clear, numbered reproduction steps
  • An impact assessment describing what an attacker could achieve
  • Any affected accounts or data, referenced by opaque IDs only, never user content
  • Suggested remediation or mitigations, if you have them
  • Your preferred name or handle for credit, if you want to be credited publicly

Please do not post vulnerability details on social media, public forums, or issue trackers before we have had a chance to investigate and deploy a fix.

Response expectations

  • Initial acknowledgment: within 5 business days of your report
  • Triage and severity assessment: within 10 business days
  • Status updates: at least every 15 business days until the issue is resolved
  • Credit: we will credit disclosers in release notes if they want recognition

Ground rules

  • No public disclosure until a fix is deployed or 90 days have elapsed from your initial report, whichever comes first
  • Coordinated disclosure is encouraged. Reach out if you need more time
  • Do not exfiltrate user data. Demonstrate impact with the minimum data required
  • Do not use automated tools that generate excessive traffic against production
  • Use test accounts you control whenever possible