Security

Responsible Disclosure

We take the security of Cipher seriously. If you've found a vulnerability in our platform, we want to hear from you.

Report a vulnerability

Send your report to security@cipherapp.dev. Encrypt sensitive reports with our PGP key (available on request).

Include: a description of the vulnerability, steps to reproduce, potential impact, and any supporting evidence (screenshots, logs, proof-of-concept code).

Our process

01

Acknowledgment

We will acknowledge receipt of your report within 24 hours.

02

Triage

Our security team will assess the severity and validity of the report within 3 business days.

03

Remediation

We will work to resolve confirmed vulnerabilities promptly. We aim to patch critical issues within 7 days.

04

Disclosure

Once resolved, we will coordinate public disclosure with you. We follow a 90-day disclosure timeline.

In scope

  • cipherapp.dev and all subdomains
  • Cipher API endpoints
  • Authentication and authorization flows
  • Data exposure or leakage vulnerabilities
  • Server-side vulnerabilities (SSRF, RCE, injection)

Out of scope

  • Social engineering or phishing attacks on Cipher employees
  • Denial-of-service attacks
  • Physical security issues
  • Third-party services and integrations not operated by Cipher
  • Automated scanning without prior approval

Safe harbor

We consider security research conducted in accordance with this policy to be authorized. We will not pursue civil or criminal action against researchers who follow this policy. If legal action is initiated by a third party against you for activities conducted under this policy, we will make reasonable efforts to make it known that your actions were authorized.

Recognition

We believe in recognizing the contributions of security researchers. With your permission, we will acknowledge you on our security hall of fame. We are working toward establishing a formal bug bounty program — stay tuned.