Security & Vulnerability Disclosure · v1.6 · last updated 2026-06-17

Security

Cairn is a single-device, local-only macOS application. We take security reports seriously and welcome good-faith research. This page explains how to report a vulnerability, what we aim to provide in response, and the scope of our safe-harbor for researchers.

How to report

Email security@cairn.software with:

• A description of the issue and its impact.
• Steps to reproduce, ideally with a minimal proof-of-concept.
• The version of Cairn and macOS where the issue was observed.
• Any suggested mitigation, if you have one in mind.

If you require encrypted communication, request our PGP public key in your first email and we will provide it. The matching machine-readable contact information is published at /.well-known/security.txt.

What we aim to do

• Aim to acknowledge reports within five business days of your initial report.
• Aim to triage and assess severity within fifteen business days, with a preliminary timeline if the issue is confirmed.
• Aim to coordinate disclosure: we will work with you on a public-disclosure date, with a default target of around 90 days from the date of acknowledgment for confirmed vulnerabilities. We will not unreasonably extend disclosure timelines.
• Credit: with your permission, we will credit you in the changelog of the release that fixes the issue.

Scope

In scope:

• The Cairn macOS application binary (bundle ID software.cairn.app) on supported macOS versions.
• The cairn.software website.
• Issues affecting the confidentiality, integrity, or availability of local user data captured by Cairn.

Out of scope:

• Vulnerabilities in third-party services we do not operate (Apple App Store, etc.).
• Issues that require an attacker to have already compromised the user's macOS account, or to have physical access to an unlocked device (e.g. raw access to the sandbox container or to the user's filesystem).
• Theoretical issues without a practical exploit path.
• Social-engineering, phishing, or denial-of-service reports that do not affect the integrity of locally stored captures.
• Reports based only on documented product choices, without a practical security impact.

Safe harbor for good-faith research

If you act in good faith to identify and report a security issue within this policy, we will:

• Not bring a civil claim against you based solely on that good-faith research.
• Not ask law-enforcement authorities to investigate you based solely on that good-faith research.
• Consider the activity authorised by Cairn only to the extent it is necessary to validate and report the issue, provided you (i) avoid privacy violations, service disruption, and destruction of data, (ii) do not exploit the vulnerability beyond what is necessary to demonstrate it, and (iii) give us reasonable time to fix the issue before public disclosure.

This commitment binds only Cairn. It does not bind public authorities, third-party service providers, or affected users. Researchers acting outside this scope are responsible for their own conduct.

Not in this program (yet)

• Bug bounties: we do not currently pay cash bounties. Public credit and a heartfelt thank-you are what we can offer at MVP scale.
• Pre-disclosure access: we do not provide advance access to source code beyond what is publicly visible.

What we will not accept

• Reports demanding payment or threatening public disclosure within unreasonable timelines.
• Automated scanner output without manual validation.
• Reports for which the only requested "fix" is adding unrelated telemetry or monitoring.

Contact

security@cairn.software
Machine-readable: /.well-known/security.txt
Operator details: legal notice