Security

Security & vulnerability disclosure

Found a security issue? Email security@chieflab.io. We acknowledge within 72h, give a remediation timeline within 7 business days, and we don't sue people who report in good faith.

Last updated · 2026-05-13 · v0.1 · All legal docs →

Quick contact: security@chieflab.io · machine-readable: /.well-known/security.txt per RFC 9116.

1. How to report

  • Email security@chieflab.io.
  • PGP key: available on request — we will publish a key on this page when the first reporter requests encryption.
  • Acknowledgment: within 72 hours.
  • Triage and remediation timeline: provided within 7 business days of acknowledgment.
  • Please do not open public GitHub issues for security reports. Use email so we can triage privately.

2. Scope

The following are in scope for security research under this policy:

  • chieflab.io and subdomains (api.chieflab.io, app.chieflab.io).
  • API endpoints under api.chieflab.io/api/* — REST and MCP.
  • Signed run viewer at chieflab.io/runs/:id.
  • Authenticated dashboard at chieflab.io/app.
  • Key delivery at chieflab.io/get-key.
  • Published npm packages: @chieflab/cli, @chieflab/mcp-server, @chieflab/sdk.

3. Out of scope

  • Vulnerabilities in subprocessors that are not exploitable through ChiefLab. Report those to the subprocessor.
  • Volumetric / denial-of-service attacks (proof-of-concept reports of vulnerability classes are fine; actual DoS testing is not).
  • Issues requiring physical access to a user's device.
  • Social-engineering of ChiefLab personnel, customers, or vendors.
  • Theoretical attacks without demonstrable impact.
  • Self-XSS, clickjacking on pages without sensitive state, missing SPF / DKIM / DMARC on the bare apex (we set these on mail.chieflab.io).
  • Findings from automated scanners without a manually verified exploit path.

4. Safe harbor

If you make a good-faith effort to comply with this policy, we will not initiate legal action against you and we will not report you to law enforcement.

"Good faith" means:

  • You do not access data of other workspaces beyond what is necessary to demonstrate the issue.
  • You do not destroy, alter, or exfiltrate data.
  • You do not disrupt the service for other users.
  • You do not publicly disclose the issue before we have had reasonable time to remediate (default: 90 days from acknowledgment, negotiable).
  • You do not engage in extortion, demanding payment for the report.

If you are uncertain whether an action is in scope, ask first at security@chieflab.io.

5. Recognition

We publicly credit reporters who request it, on this page, where the reproducer and report quality permit. No formal bug bounty today. For high-impact reports we will negotiate compensation case-by-case; the negotiation does not gate remediation.

6. Reproducible audit scripts — ship the proof, not the claim

We maintain reproducible scripts that exercise the security claims we make on /trust. These can be shared with customers under NDA or run live during diligence so reviewers can verify the controls without taking our word for it.

  • scripts/review-url-hmac-test.mjs — verifies that signed reviewUrls reject tampered signatures, expired TTLs, and revoked signing keys.
  • scripts/approval-gate-bypass-test.mjs — attempts every documented + plausibly-undocumented path to fire a publish action without an approved publishAction; expects all attempts to be rejected with requires_approval.
  • scripts/cold-stranger-smoke.mjs — exercises the cold-onboarding path (signup → MCP → first call); flags failures publicly in cold-stranger-status.json.

Audit reports for the most recent runs are committed to the repo under docs/ (e.g., docs/COLD_START_AUDIT_*.json, docs/APPROVAL_BYPASS_AUDIT_*.md, docs/REVIEW_URL_HMAC_AUDIT_*.md). We commit failures publicly; that's the proof.

7. Compliance posture (today)

  • SOC 2 Type II: not yet. On the roadmap once we have the headcount + audit cadence to support it sustainably; we will publish a target date when it's grounded in a real engagement rather than a hand-wave.
  • GDPR: covered via Privacy Policy + DPA; SCCs Module Two in DPA.
  • UK GDPR: same, with UK ICO IDTA Addendum.
  • PDPA (Singapore): governing-law jurisdiction; documented compliance.
  • CCPA / CPRA: addressed in Privacy §9.
  • HIPAA, PCI-DSS: not supported. Do not use ChiefLab to process PHI or cardholder data.

8. Known limits we'd rather you knew up front

  • Vercel cron is once-per-day on the current plan; webhook retry windows can be up to 24h until we move to Pro.
  • Sending domain mail.chieflab.io is verified; onboarding@resend.dev is the bootstrap fallback when a workspace has no verified domain.
  • SOC 2 is on the roadmap, not in hand. We provide documented controls + reproducible scripts in the meantime; that is the SOC 2 audit input.

9. Contact