Security
Cairn is a single-device, local-only macOS application. We take security reports seriously and welcome good-faith research. This page explains how to report a vulnerability, what we commit to in response, and the scope of our safe-harbor for researchers.
How to report
Email [email protected] with:
- A description of the issue and its impact.
- Steps to reproduce, ideally with a minimal proof-of-concept.
- The version of Cairn and macOS where the issue was observed.
- Any suggested mitigation, if you have one in mind.
If you require encrypted communication, request our PGP public key in your first email and we will provide it. The matching machine-readable contact information is published at /.well-known/security.txt.
What we commit to
- Acknowledgment within five business days of your initial report.
- Triage and severity assessment within fifteen business days, with a preliminary timeline if the issue is confirmed.
- Coordinated disclosure: we will work with you on a public-disclosure date, with a default of 90 days from the date of acknowledgment for confirmed vulnerabilities. We will not unreasonably extend disclosure timelines.
- Credit: with your permission, we will credit you in the changelog of the release that fixes the issue.
Scope
In scope:
- The Cairn macOS application binary (bundle ID
software.cairn.app) on supported macOS versions. - The
cairn.softwarewebsite. - Issues affecting the confidentiality, integrity, or availability of local user data captured by Cairn.
Out of scope:
- Vulnerabilities in third-party services we do not operate (Apple App Store, Hugging Face model CDN, etc.).
- Issues that require an attacker to have already compromised the user's macOS account, or to have physical access to an unlocked device (e.g. raw access to the sandbox container or to the user's filesystem).
- Theoretical issues without a practical exploit path.
- Social-engineering, phishing, or denial-of-service reports that do not affect the integrity of locally stored captures.
- Reports based on Cairn's design choices documented in the Privacy Pledge — those are not bugs.
Safe harbor for good-faith research
If you act in good faith to identify and report a security issue, we will:
- Not pursue civil or criminal action against you for the research itself.
- Not report your activity to law-enforcement authorities.
- Treat your activity as authorised access for the purposes of the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act 1990, Italian Legislative Decree 70/2003, and analogous laws — provided you (i) act in good faith, (ii) avoid privacy violations, service disruption, and destruction of data, (iii) do not exploit the vulnerability beyond what is necessary to demonstrate it, and (iv) give us reasonable time to fix the issue before public disclosure.
Researchers acting outside this scope are responsible for their own conduct.
Not in this program (yet)
- Bug bounties: we do not currently pay cash bounties. Public credit and a heartfelt thank-you are what we can offer at MVP scale.
- Pre-disclosure access: we do not provide advance access to source code beyond what is publicly visible.
What we will not accept
- Reports demanding payment or threatening public disclosure within unreasonable timelines.
- Automated scanner output without manual validation.
- Reports for which the only "fix" would be to violate the Privacy Pledge (e.g. "add a telemetry beacon to detect tampering").
Contact
[email protected]
Machine-readable: /.well-known/security.txt
Operator details: legal notice