Disclosure policy
CloakAPI runs a public coordinated-disclosure programme. The full policy
(RFC 9116 security.txt, hall-of-fame, encryption keys) is at
security.cloakapi.io. The short version:
Where to send reports
- Email:
security@cloakapi.io - PGP key:
0xF30A0D691DB045B3— fingerprint and full key athttps://security.cloakapi.io/.well-known/pgp-key.asc - Web form:
https://security.cloakapi.io/disclose
What’s in scope
*.cloakapi.io— all subdomains.signedreceipts.organd the OpenReceipt v1 reference implementation.- Browser portal, browser extension, desktop client (Tauri).
- Self-hosted SDKs (npm + PyPI).
What’s out of scope
- Marketing site (WordPress) — report via the form, but not eligible for bounty.
- Subdomain takeovers on third-party services we use (e.g. status page provider) — report directly to them.
- Social engineering, physical attacks.
Response SLA
| Phase | Target |
|---|---|
| First response | 24 hours |
| Triage decision | 5 business days |
| Fix in production | depends on severity (SEV-1: 7 days, SEV-2: 30 days) |
| Public disclosure | 90 days from triage (negotiable) |
Rewards
We pay USD 100–10,000 per finding depending on severity, exploitability,
and report quality. Public hall-of-fame for accepted reports at
security.cloakapi.io/hall-of-fame.