Security & Vulnerability Disclosure · v1.0 · last updated 2026-05-17

Security

Cairn is a single-device, local-only macOS application. We take security reports seriously and welcome good-faith research. This page explains how to report a vulnerability, what we commit to in response, and the scope of our safe-harbor for researchers.

How to report

Email [email protected] with:

• A description of the issue and its impact.
• Steps to reproduce, ideally with a minimal proof-of-concept.
• The version of Cairn and macOS where the issue was observed.
• Any suggested mitigation, if you have one in mind.

If you require encrypted communication, request our PGP public key in your first email and we will provide it. The matching machine-readable contact information is published at /.well-known/security.txt.

What we commit to

• Acknowledgment within five business days of your initial report.
• Triage and severity assessment within fifteen business days, with a preliminary timeline if the issue is confirmed.
• Coordinated disclosure: we will work with you on a public-disclosure date, with a default of 90 days from the date of acknowledgment for confirmed vulnerabilities. We will not unreasonably extend disclosure timelines.
• Credit: with your permission, we will credit you in the changelog of the release that fixes the issue.

Scope

In scope:

• The Cairn macOS application binary (bundle ID com.sonavia.cairn) on supported macOS versions.
• The cairn.software website.
• Issues affecting the confidentiality, integrity, or availability of local user data captured by Cairn.

Out of scope:

• Vulnerabilities in third-party services we do not operate (Apple App Store, Hugging Face model CDN, etc.).
• Issues that require an attacker to have already compromised the user's Mac account (e.g. raw access to the sandbox container).
• Theoretical issues without a practical exploit path.
• Reports based on Cairn's design choices documented in the Privacy Pledge — those are not bugs.

Safe harbor for good-faith research

If you act in good faith to identify and report a security issue, we will:

• Not pursue civil or criminal action against you for the research itself.
• Not report your activity to law-enforcement authorities.
• Treat your activity as authorized under the Computer Fraud and Abuse Act (CFAA), the EU NIS2 Directive's national transpositions, and similar laws — provided you (i) act in good faith, (ii) avoid privacy violations and destruction of data, (iii) do not exploit the vulnerability beyond what is necessary to demonstrate it, and (iv) give us reasonable time to fix the issue before public disclosure.

Researchers acting outside this scope are responsible for their own conduct.

Not in this program (yet)

• Bug bounties: we do not currently pay cash bounties. Public credit and a heartfelt thank-you are what we can offer at MVP scale.
• Pre-disclosure access: we do not provide advance access to source code beyond what is publicly visible.

What we will not accept

• Reports demanding payment or threatening public disclosure within unreasonable timelines.
• Automated scanner output without manual validation.
• Reports for which the only "fix" would be to violate the Privacy Pledge (e.g. "add a telemetry beacon to detect tampering").

Contact

[email protected]
Machine-readable: /.well-known/security.txt
Operator details: imprint.html