Security & Trust

Vulnerability disclosure, PGP contact, and conformity with the EU Cyber Resilience Act (CRA).

1. Report a vulnerability

Found a security issue? We welcome confidential reports. Please do not report issues publicly on GitHub or social networks — use the channels below instead.

Confidential contact channels

Email:security@chorilo.com
PGP key:/.well-known/pgp-key.txt
security.txt per RFC 9116:/.well-known/security.txt

2. Scope

In scope

chorilo.com and all production subdomains
Chorilo Backend API
Chorilo Mobile App (iOS, Android)
Chorilo Files Desktop App (macOS, Windows)
Authentication, authorization, data access controls

Out of scope

Automated scanner reports without working proof of concept
Missing security headers without demonstrated impact
Phishing or social engineering of staff
Third-party services (Stripe, Sentry — report directly)
Self-XSS, attacks against the reporter's own device

3. Safe harbor

If you act in good faith, we will not pursue civil or criminal action, provided that you:

Make a good-faith effort to avoid privacy violations, data destruction, and service interruption.
Only interact with accounts you own or have explicit permission to access.
Do not exfiltrate more data than necessary to demonstrate the issue.
Give us reasonable time to remediate before any public disclosure.
Do not exploit the vulnerability beyond the minimum needed to confirm it.

4. Response times

Deadline	Action
3 business days	Acknowledgement of receipt to the reporter
10 business days	Initial assessment and severity classification
24 h	Early warning to ENISA for actively exploited vulnerabilities (CRA Art. 14)
72 h	Vulnerability notification with mitigation plan
14 d	Final report with root cause and remediation

For actively exploited vulnerabilities the EU Cyber Resilience Act reporting timeline (24h / 72h / 14d) applies. Affected users will be notified via in-app messages, email, and the status page.

5. PGP key

For especially sensitive reports the following PGP key may be used. The key is also accessible via the security.txt file.

Key ID:F515A8A7A0AF17DB

Fingerprint:D4DECED45D1FBC7D2251A143F515A8A7A0AF17DB

Download: /.well-known/pgp-key.txt

Please compare the fingerprint with a second source — e.g. the public entry on keys.openpgp.org — before first use.

6. CRA conformity

Chorilo complies with the EU Cyber Resilience Act (Regulation 2024/2847):

Vulnerability disclosure policy under Art. 13 and 14 CRA.
Software Bill of Materials (CycloneDX 1.5) per component.
Technical documentation under Annex VII, retained for 10 years.
Public status page and incident history at /status

7. Hall of fame

A list of security researchers who have helped improve Chorilo's security will be published here once the first reports have been resolved.