Security

Responsible disclosure.

Found a vulnerability in CipherM? Report it to us before posting. We'll fix it fast, credit you, and won't pursue good-faith research.

How to report

  • Email — security@cipherm.io (preferred)
  • PGP — published when key rotation lands; meanwhile email plaintext-encrypted summary
  • Email — disclose privately to security@cipherm.io; we acknowledge within 72 hours.

Please include: a clear description, reproduction steps, the affected version (CLI / scanner / registry / detection rules), and your assessment of impact.

Scope

In scope:

  • The hosted registry at cipherm.io (and its IP-based predecessor)
  • The cipherm-scan / cipherm-tls CLIs
  • The detection ruleset (false-positive / false-negative reports also welcome)
  • The CycloneDX validator endpoint

Out of scope:

  • Denial-of-service via volumetric load (use the OSS CLI locally for any heavy testing)
  • Spam / mass-account / credential stuffing reports against not-yet-shipped auth
  • Social engineering against the founder or hosting providers
  • Issues in third-party services we depend on (report to them; CC us if it affects CipherM users)

Our commitments

  • Acknowledge your report within 72 hours
  • Provide an initial triage within 7 days
  • Ship a fix within 30 days for critical issues, 90 days for everything else
  • Credit you in the public disclosure (or keep it private if you prefer)
  • Not pursue legal action for good-faith research that respects this policy

Bug bounty (informal)

Pre-traction we can't pay cash bounties. What we can offer for valid reports:

  • Free Pro tier for life when Pro launches
  • Public credit on the changelog and security advisory
  • CipherM logo merch when it exists

If you find something serious enough to warrant cash compensation, email us anyway. We'll make it right.

Architecture-level security notes

  • CBOM artifacts are content-addressed (SHA-256). Identical uploads dedupe.
  • No source code is ever uploaded — only the CipherM-emitted CBOM, which contains file paths + line numbers + short snippets but not full source.
  • Public CBOMs are publicly readable. Don't upload anything you wouldn't commit to a public repository.
  • Unlisted / private CBOMs are not yet a feature (Pro tier roadmap, week 6 of the 90-day plan).