Skip to main content

Security

Vulnerability disclosure

Good-faith security research is welcome and encouraged. Cavaridge will not pursue legal action against researchers who follow the scope and safe-harbor terms below.

Operator + legal review pending. Reward amounts and the PGP key are pending operator publication. Until then, qualifying reports receive written acknowledgement, public credit (with researcher consent), and a Cavaridge swag pack.

In scope

  • cavaridge.app and all *.cavaridge.app subdomains
  • *.cavaridge.ai subdomains
  • *.cavaridge.com subdomains
  • Cavaridge-published mobile or desktop apps
  • The Cavaridge public API (api.cavaridge.app)
  • The Cavaridge MCP gateway (mcp.cavaridge.app)

Out of scope

  • Third-party SaaS Cavaridge consumes (Stripe, Supabase, OpenRouter, model providers, etc.) — report to the vendor directly
  • Marketing pages of Cavaridge partners
  • Findings on the status page itself unless they enable spoofing of incident state
  • Self-XSS, clickjacking on non-sensitive pages, missing best-practice headers without exploit, rate-limit absence on non-sensitive endpoints
  • Reports generated by automated tools without manual verification
  • Denial of service, social engineering of Cavaridge staff or customers, physical security testing

Safe harbor

Research conducted in good faith and within the scope above is authorized under this program. Cavaridge will:

  • not pursue or support legal action against you for the research,
  • not refer the activity to law enforcement, and
  • treat the activity as authorized for the purpose of the Computer Fraud and Abuse Act (CFAA), state computer-crime laws, and the Digital Millennium Copyright Act (DMCA).

Good faith means: you do not access, modify, or destroy data beyond what is necessary to demonstrate the vulnerability; you do not exfiltrate data; you do not degrade service for customers; you give Cavaridge a reasonable opportunity to remediate before public disclosure (we ask for 90 days, less if the operator confirms remediation sooner).

How to report

Email security@cavaridge.com. Include:

  • A clear description of the issue and its impact
  • Reproduction steps (commands, requests, screenshots)
  • Affected endpoint(s) and any account or tenant context
  • Whether you believe the issue has been disclosed elsewhere
  • Your preferred contact method and credit name (or a request for anonymity)

Encrypt sensitive details with the Cavaridge security PGP key (publication pending operator key generation — see the banner above).

Severity and acknowledgement

SeverityExamplesFirst-touch SLAReward
CriticalRCE; tenant isolation break; auth bypass on a privileged surface1 business dayPending operator decision
HighAuthenticated privilege escalation; PII exposure across tenants2 business daysPending operator decision
MediumCSRF on a sensitive endpoint; XSS in an authenticated surface5 business daysPending operator decision
LowInformation disclosure with limited impact; missing security headers with proof10 business daysAcknowledgement

Reward amounts will be published once operator approval is captured. Reports submitted before publication are eligible for retroactive reward at the operator's discretion.

See also: /security · /trust · status.cavaridge.app