Legal
Responsible Disclosure
Last updated: 2026-02-05
We welcome security researchers. This page describes how to report a vulnerability so we can fix it and keep customers safe.
Placeholder document. This page is a stub while we finalise the formal legal review. The final version will land before public launch. In the meantime, if you have specific compliance questions email hello@cloudgenie.co and we'll respond within one working day.
Scope
All CloudGenie-owned domains (*.cloudgenie.co) and the cg CLI binaries.
Out of scope
- Social engineering, phishing, or physical attacks.
- DoS / DDoS testing.
- Findings in third-party services we depend on (report to them directly).
How to report
Email security@cloudgenie.co with a description, reproduction steps, and any proof-of-concept material. GPG public key on request.
Our commitment
- Acknowledgement within 24 hours.
- Triage decision within 3 business days.
- Coordinated public disclosure once a fix is deployed.
- Credit in a public hall-of-fame if you want it.
Safe harbour
We will not pursue legal action against researchers who follow this policy in good faith.