Security

Coordinated Disclosure Policy

Found something? We'd love to hear about it — and we'll treat you well for telling us.

RFC 9116security@conjuring.ai

How to report

Email security@conjuring.ai. Include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce — a minimal proof-of-concept is ideal. Screenshots and HTTP captures are welcome.
  • The Thread version, operating system, and any configuration details that matter.
  • Your preferred name or handle for credit (or tell us you'd rather stay anonymous).

Prefer encrypted? PGP key fingerprint and full public key are linked from /.well-known/security.txt.

What we commit to

  • Acknowledge within 72 hours. A real human reads every report.
  • Triage within 7 days. We'll confirm severity, assign a fix owner, and give you a rough timeline.
  • Fix or mitigate within 90 days for high or critical issues. Most land much faster.
  • Credit on the release notes (if you'd like credit) once the fix ships.
  • No lawyers. If your testing is in good faith and inside the scope below, we treat your disclosure as authorized — no legal action, no threats.

Scope

In scope:

  • The Thread desktop app (all versions from 0.1.0 onward).
  • conjuring.ai and all subdomains we operate (updates, api, app).
  • The auto-update pipeline (signing, notarization, delivery).
  • The encrypted-key storage (safeStorage) and any BYOK flow.

Out of scope:

  • Third-party services we integrate with (OpenAI, Anthropic, Stripe, Supabase) — report directly to the vendor.
  • Physical, social-engineering, or DoS attacks. Please don't.
  • Findings that require an already-compromised machine or a rooted device.
  • Issues in pre-release or development builds that haven't been signed for public distribution.

Safe harbor

Research conducted in good faith under this policy is considered authorized. We won't pursue civil or criminal action against you, and we'll go to bat for you if a third party attempts to. In return, please:

  • Only access the minimum amount of data required to demonstrate the issue.
  • Don't exfiltrate, modify, or destroy other users' data.
  • Give us reasonable time to fix before public disclosure — usually 90 days, shorter for trivially-fixable issues or longer by mutual agreement.

Bounty

We aren't running a paid bounty program at this stage of the company. When we do, we'll announce it here. For now, we offer public credit on the release notes, a handwritten thank-you, and honest gratitude.

Contact

Primary: security@conjuring.ai
Machine-readable: /.well-known/security.txt