cloak logo cloak
download
Security

Security & Responsible Disclosure

Security pages build trust when they stay honest. This one explains the current public-site, checkout, and extension scope, what kind of reports we want, and how to raise them responsibly.

Last updated May 31, 2026

Current scope

cloak is early, but the public site now includes a real checkout flow, support forms, activation-code delivery, and the current browser extension. We take security, privacy, abuse, and payment-related reports seriously.

What we are protecting

The current public surface includes the marketing site, support and feedback forms, checkout/session creation, Stripe webhook handling, activation records, and information submitted through those flows. Payment card details are handled by Stripe, not stored directly by cloak.

We work to limit unnecessary access, verify Stripe webhook signatures, keep secrets out of public code, and avoid claiming guarantees we cannot honestly support yet.

How to report a concern

If you need to report a security, privacy, billing, or legal concern, email ray@cloak.build or use the support page and clearly label the message. Include enough detail for us to understand the concern without sending extra sensitive information you do not need to share.

Responsible disclosure

Please do not disrupt the site, access information that is not yours, perform destructive testing, attempt payment abuse, or publicly disclose a vulnerability before we have had a reasonable chance to review it. Good-faith reports that help us protect cloak and its users are welcome.